WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Session Management and IP address - experiences?

From: Ben Timby <asp () webexc com>
Date: Thu, 02 Sep 2004 13:50:14 -0500
You are forgetting the other case...

NAT routers, where a set of users all have the SAME IP address.

I have never used this method for the problems that would no doubt ensue.
In addition to what you mentioned, AOL, the largest ISP on the planet uses the load balancing proxies, thus AOL users will migrate between IPs, thus losing their session data. 

Thomas Schreiber wrote:


A question about their experiences to those people that are running web
applications with the clients ip address bound to the session. I.e. when
creating a session, the client-ip is stored and then compared with every
request. Only if the client-ip has not changed, the request is accepted as
beeing part of the session.

It is common knowledge, that things like loadbalanced proxies, where the ip
address might change within a running session, interfere with this kind of
security enhanced session management.

But, how strong is the impact in practice really nowadays?

Is it perhaps exceptable, as it happens only in rare cases? If this is the
case, one might present the user another login where he can prove his
identity again and continue with the session.

(It is another story that session-ip-binding wouldn't solve the whole
problem, as there are several szenarios, where an attacker might use the
same proxy etc. as the victim...)


Thomas Schreiber
____________________________________________________________
SecureNet GmbH - http://www.securenet.de
Previous By Date Next
Previous By Thread Next

Current thread: