RE: Session Management and IP address - experiences?

["Mike Randall" <mrandall () ajla net>]

The application I'm currently working on forces the user to
reauthenticate each time the client IP address changes, but they must
only reauthenticate once per IP address.  Their session is left intact
and they are able to continue where they were.  We originally had it so
the user would reauthenticate for each IP flip-flop, but our AOL users
got stuck in a continuous authentication loop.  For the most part, the
AOL users were flip-flopping between two or three IP addresses, so we
had them authenticate once for each distinct IP address.

Mike Randall

-----Original Message-----
From: Thomas Schreiber [mailto:ts () secure-net de] 
Sent: Thursday, September 02, 2004 7:54 AM
To: webappsec () lists securityfocus com
Subject: Session Management and IP address - experiences?

A question about their experiences to those people that are running web
applications with the clients ip address bound to the session. I.e. when
creating a session, the client-ip is stored and then compared with every
request. Only if the client-ip has not changed, the request is accepted
as beeing part of the session.

It is common knowledge, that things like loadbalanced proxies, where the
ip address might change within a running session, interfere with this
kind of security enhanced session management.

But, how strong is the impact in practice really nowadays?

Is it perhaps exceptable, as it happens only in rare cases? If this is
the case, one might present the user another login where he can prove
his identity again and continue with the session.

(It is another story that session-ip-binding wouldn't solve the whole
problem, as there are several szenarios, where an attacker might use the
same proxy etc. as the victim...)


Thomas Schreiber
____________________________________________________________
SecureNet GmbH - http://www.securenet.de