WebApp Sec mailing list archives
Re: Session Management and IP address - experiences?
From: Jeremiah Grossman <jeremiah () whitehatsec com>
Date: Thu, 2 Sep 2004 11:17:48 -0700
I've witnessed tests of ip-bound sessions on both large and small (user-base) public web sites. As expected, the more unique users on the web site the more problems with users spontaneously jumping IP's and causing problems.
On larger user-base web sites, the number of problems caused (and cost) outweighed the security benefits. On the smaller user-base web sites, session re-verification using a password was tolerable enough to utilize. Also, using only a portion of the IP address helped as well.
For myself, I'm a proponent of ip-binding sessions when appropriate. It makes the wall just a little bit higher.
Regards, Jeremiah- On Thursday, September 2, 2004, at 05:53 AM, Thomas Schreiber wrote:
A question about their experiences to those people that are running webapplications with the clients ip address bound to the session. I.e. when creating a session, the client-ip is stored and then compared with every request. Only if the client-ip has not changed, the request is accepted asbeeing part of the session.It is common knowledge, that things like loadbalanced proxies, where the ip address might change within a running session, interfere with this kind ofsecurity enhanced session management. But, how strong is the impact in practice really nowadays?Is it perhaps exceptable, as it happens only in rare cases? If this is thecase, one might present the user another login where he can prove his identity again and continue with the session. (It is another story that session-ip-binding wouldn't solve the wholeproblem, as there are several szenarios, where an attacker might use thesame proxy etc. as the victim...) Thomas Schreiber ____________________________________________________________ SecureNet GmbH - http://www.securenet.de
Current thread:
- Session Management and IP address - experiences? Thomas Schreiber (Sep 02)
- Re: Session Management and IP address - experiences? David Wall @ Yozons, Inc. (Sep 02)
- Re: Session Management and IP address - experiences? avarni (Sep 04)
- RE: Session Management and IP address - experiences? Thomas Schreiber (Sep 05)
- Re: Session Management and IP address - experiences? Steven Boone (Sep 02)
- RE: Session Management and IP address - experiences? V. Poddubnyy (Sep 02)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 02)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 04)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 02)
- Re: Session Management and IP address - experiences? Ben Timby (Sep 02)
- Re: Session Management and IP address - experiences? Bill Marquette (Sep 02)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- RE: Session Management and IP address - experiences? Harry Metcalfe (Sep 04)
- Re: Session Management and IP address - experiences? Viktors Rotanovs (Sep 04)
- <Possible follow-ups>
- Re: Session Management and IP address - experiences? Dave Wichers (Sep 02)
(Thread continues...)
- Re: Session Management and IP address - experiences? David Wall @ Yozons, Inc. (Sep 02)