Re: Session Management and IP address - experiences?

[Steven Boone <sboone () pyrontechnologies com>]

The thing is that a lot of larger ISPs (AOL for example) use load
balancing proxies and thus make it difficult lock the IP to the
session.  In this situation, it would be cumbersome at best to provide a
a login each time the IP address changed because the IP could in theory
change with every request, forcing the user to login every time they
request a new page.  I think that this kind of session management would
possibly work well with corporate and intranet systems and such where
you know what IP addresses should be connecting to a site, but for a
general website, I do not think that associating IP address to the
session is a very practical idea.



 On Thu, 2004-09-02 at 06:53, Thomas Schreiber wrote:
> A question about their experiences to those people that are running web
> applications with the clients ip address bound to the session. I.e. when
> creating a session, the client-ip is stored and then compared with every
> request. Only if the client-ip has not changed, the request is accepted as
> beeing part of the session.
>
> It is common knowledge, that things like loadbalanced proxies, where the ip
> address might change within a running session, interfere with this kind of
> security enhanced session management.
>
> But, how strong is the impact in practice really nowadays?
>
> Is it perhaps exceptable, as it happens only in rare cases? If this is the
> case, one might present the user another login where he can prove his
> identity again and continue with the session.
>
> (It is another story that session-ip-binding wouldn't solve the whole
> problem, as there are several szenarios, where an attacker might use the
> same proxy etc. as the victim...)
>
>
> Thomas Schreiber
> ____________________________________________________________
> SecureNet GmbH - http://www.securenet.de
-- 
****************************************
Steven Boone