WebApp Sec mailing list archives

Tying a session to an IP address

From: Paul Johnston <paul () westpoint ltd uk>
Date: Mon, 10 May 2004 14:13:51 +0100

Hi,

I'm interested in the merits of restricting a session to an IP address.I realise this isn't great security as often many users will appear tocome from the same IP address (NAT, proxies, etc.) However, if youconsider the case where an attacker uses an XSS vulnerability to stealthe session ID, then the IP address restriction raises the barconsiderably for an arbitrary remote attacker to exploit this. I'mworried that the IP address restriction wouldn't work for all users -e.g. if their ISP uses load-balanced web caches. Does anyone know howcommon such arrangements are in practice? Perhaps something to be donethen is just check the top 16 bits of the IP address. This is likely towork for all such network arrangements and still raises the bar a lotfor remote attacks.


Does anyone here already restrict sessions by IP address?

Regards,

Paul

--
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk

Current thread:

Tying a session to an IP address Paul Johnston (May 10)
- Re: Tying a session to an IP address exon (May 10)
  - Re: Tying a session to an IP address Rogan Dawes (May 10)
    - Re: Tying a session to an IP address exon (May 10)
- Re: Tying a session to an IP address Chris Burton (May 10)
- Re: Tying a session to an IP address Imre Kertesz (May 10)
- Re: Tying a session to an IP address [summary] Paul Johnston (May 12)
- <Possible follow-ups>
- RE: Tying a session to an IP address Mike Randall (May 10)
- RE: Tying a session to an IP address Imperva Application Defense Center (May 10)
  - Re: Tying a session to an IP address T.J. (May 10)
  - Re: Tying a session to an IP address Adam Tuliper (May 10)

(Thread continues...)