WebApp Sec mailing list archives
RE: Tying a session to an IP address
From: "Mike Randall" <mrandall () ajla net>
Date: Mon, 10 May 2004 08:50:00 -0500
The application I'm now working on requires users to reauthenticate if their IP address changes in mid-session. Their session then resumes where they left off. Since some users on dial-up can switch IPs frequently, we set it up so that they must reauthenticate once per IP address. So, if they bounce back and forth among 4 IP addresses in a session, they must authenticate only 4 times, instead of each time their IP switches. Mike Randall APA IV, Web Developer AJLA-TS, KDHR Email: mrandall () ajla net -----Original Message----- From: Paul Johnston [mailto:paul () westpoint ltd uk] Sent: Monday, May 10, 2004 8:14 AM To: webappsec () securityfocus com Subject: Tying a session to an IP address Hi, I'm interested in the merits of restricting a session to an IP address. I realise this isn't great security as often many users will appear to come from the same IP address (NAT, proxies, etc.) However, if you consider the case where an attacker uses an XSS vulnerability to steal the session ID, then the IP address restriction raises the bar considerably for an arbitrary remote attacker to exploit this. I'm worried that the IP address restriction wouldn't work for all users - e.g. if their ISP uses load-balanced web caches. Does anyone know how common such arrangements are in practice? Perhaps something to be done then is just check the top 16 bits of the IP address. This is likely to work for all such network arrangements and still raises the bar a lot for remote attacks. Does anyone here already restrict sessions by IP address? Regards, Paul -- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- Tying a session to an IP address Paul Johnston (May 10)
- Re: Tying a session to an IP address exon (May 10)
- Re: Tying a session to an IP address Rogan Dawes (May 10)
- Re: Tying a session to an IP address exon (May 10)
- Re: Tying a session to an IP address Rogan Dawes (May 10)
- Re: Tying a session to an IP address Chris Burton (May 10)
- Re: Tying a session to an IP address Imre Kertesz (May 10)
- Re: Tying a session to an IP address [summary] Paul Johnston (May 12)
- <Possible follow-ups>
- RE: Tying a session to an IP address Mike Randall (May 10)
- RE: Tying a session to an IP address Imperva Application Defense Center (May 10)
- Re: Tying a session to an IP address T.J. (May 10)
- Re: Tying a session to an IP address Adam Tuliper (May 10)
- RE: Tying a session to an IP address Steve McCullough (May 11)
- RE: Tying a session to an IP address Wolf, Yonah (May 10)
- RE: Tying a session to an IP address Scovetta, Michael V (May 10)
- Re: Tying a session to an IP address exon (May 10)
- Re: Tying a session to an IP address Mark Foster (May 10)
- Re: Tying a session to an IP address exon (May 10)
- RE: Tying a session to an IP address Tom Arseneault (May 10)
(Thread continues...)
- Re: Tying a session to an IP address exon (May 10)