WebApp Sec mailing list archives

Re: Session Management and IP address - experiences?


From: "David Wall @ Yozons, Inc." <dwall () yozons com>
Date: Thu, 2 Sep 2004 12:40:05 -0700

It is common knowledge, that things like loadbalanced proxies, where the
ip
address might change within a running session, interfere with this kind of
security enhanced session management.

It's pretty common, especially for those using the biggest ISPs who use
these schemes.  Most others come from a single proxy or NAT/gw so the IP
wouldn't change.

Is it perhaps exceptable, as it happens only in rare cases? If this is the
case, one might present the user another login where he can prove his
identity again and continue with the session.

But what ACTUAL problem are you trying to avoid?  Have you seen someone step
in the middle of one of your users activities, steal a session cookie, and
then impersonate them?  If not, perhaps you are solving problems you don't
really have, so why put the headache in for those who will have issues
because they are being such proxies?

(It is another story that session-ip-binding wouldn't solve the whole
problem, as there are several szenarios, where an attacker might use the
same proxy etc. as the victim...)

Exactly, which also leads to the question of why bother?

Perhaps if IPv6 ever gets into widespread use (ha ha ha?!) this will be
powerful because such proxies may no longer be there.  Today, it seems like
solving a problem that perhaps doesn't exist.  Couple a good session id
(random and long) with SSL and you'll find most of your security violations
result from bad passwords and social engineering attacks -- they are much
easier to hack than stepping in the middle of a session...

David


Current thread: