WebApp Sec mailing list archives
Re: Session Management and IP address - experiences?
From: Viktors Rotanovs <Viktors () Rotanovs com>
Date: Sun, 05 Sep 2004 04:55:20 +0300
Thomas Schreiber wrote: > A question about their experiences to those people that are running web > applications with the clients ip address bound to the session.From my experience, binding session to first two octets of IP address is safe, and adding HttpOnly to session cookie solves a problem when bad javascripts steal session cookies.
For more info about HttpOnly: http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.aspAFAIK HttpOnly is supported in MSIE, Mozilla/Firefox and Konqueror (and probably others).
I've also written HttpOnly patch for PHP4: http://rotanovs.com/php-session-httponly.patchTo enable HttpOnly support, apply this patch and add this string to your php.ini:
session.cookie_httponly = 1 Best Wishes, Viktors
Current thread:
- RE: Session Management and IP address - experiences?, (continued)
- RE: Session Management and IP address - experiences? V. Poddubnyy (Sep 02)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 02)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 04)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 02)
- Re: Session Management and IP address - experiences? Ben Timby (Sep 02)
- Re: Session Management and IP address - experiences? Bill Marquette (Sep 02)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- RE: Session Management and IP address - experiences? Harry Metcalfe (Sep 04)
- Re: Session Management and IP address - experiences? Viktors Rotanovs (Sep 04)
- Re: Session Management and IP address - experiences? Dave Wichers (Sep 02)
- Re: Session Management and IP address - experiences? Saqib . N . Ali (Sep 04)
- RE: Session Management and IP address - experiences? Mike Randall (Sep 02)
- Session Management and IP address - experiences? Thomas Schreiber (Sep 04)
- Re: Session Management and IP address - experiences? focus (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 05)
- SpyWare and HTTP headers Steve McCullough (Sep 06)
- Re: Session Management and IP address - experiences? saphyr (Sep 05)
- RE: Session Management and IP address - experiences? Fling, Steven (Sep 04)
- re: Session Management and IP address - experiences? eax (Sep 04)