WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Session Management and IP address - experiences?

From: Adam Shostack <adam () homeport org>
Date: Fri, 3 Sep 2004 09:24:34 -0400
So what about binding on the domain portion of the reverse lookup?

Acomplishes somewhat the same thing, making it harder to steal and
re-use a session, without running into the IP address issues.

Adam

On Thu, Sep 02, 2004 at 09:00:21PM -0500, Bill Marquette wrote:
| Forget it if you plan on having users from large ISPs (AOL) using your
| application.  Further, many corporate environments load balance
| outbound browsing.
| 
| --Bill
| 
| On Thu, 2 Sep 2004 14:53:58 +0200, Thomas Schreiber <ts () secure-net de> wrote:
| > A question about their experiences to those people that are running web
| > applications with the clients ip address bound to the session. I.e. when
| > creating a session, the client-ip is stored and then compared with every
| > request. Only if the client-ip has not changed, the request is accepted as
| > beeing part of the session.
| > 
| > It is common knowledge, that things like loadbalanced proxies, where the ip
| > address might change within a running session, interfere with this kind of
| > security enhanced session management.
| > 
| > But, how strong is the impact in practice really nowadays?
| > 
| > Is it perhaps exceptable, as it happens only in rare cases? If this is the
| > case, one might present the user another login where he can prove his
| > identity again and continue with the session.
| > 
| > (It is another story that session-ip-binding wouldn't solve the whole
| > problem, as there are several szenarios, where an attacker might use the
| > same proxy etc. as the victim...)
| > 
| > 
| > Thomas Schreiber
| > ____________________________________________________________
| > SecureNet GmbH - http://www.securenet.de
| > 
| >
Previous By Date Next
Previous By Thread Next

Current thread: