RE: Session Management and IP address - experiences?

["V. Poddubnyy" <vpoddubniy () mail ru>]

Hello,

As far as I remember, some time ago somebody asked the same...

General suggestion was: log the IP changes during requests of the same
session and then check how often your users will need to reauthenticate.

--
Best regards,
 Vladimir Poddubnyy 

> -----Original Message-----
> From: Thomas Schreiber [mailto:ts () secure-net de] 
> Sent: Thursday, September 02, 2004 4:54 PM
> To: webappsec () lists securityfocus com
> Subject: Session Management and IP address - experiences?
>
> A question about their experiences to those people that are 
> running web applications with the clients ip address bound to 
> the session. I.e. when creating a session, the client-ip is 
> stored and then compared with every request. Only if the 
> client-ip has not changed, the request is accepted as beeing 
> part of the session.
>
> It is common knowledge, that things like loadbalanced 
> proxies, where the ip address might change within a running 
> session, interfere with this kind of security enhanced 
> session management.
>
> But, how strong is the impact in practice really nowadays?
>
> Is it perhaps exceptable, as it happens only in rare cases? 
> If this is the case, one might present the user another login 
> where he can prove his identity again and continue with the session.
>
> (It is another story that session-ip-binding wouldn't solve 
> the whole problem, as there are several szenarios, where an 
> attacker might use the same proxy etc. as the victim...)
>
>
> Thomas Schreiber
> ____________________________________________________________
> SecureNet GmbH - http://www.securenet.de