WebApp Sec mailing list archives
Re: Session Management and IP address - experiences?
From: Adam Shostack <adam () homeport org>
Date: Fri, 3 Sep 2004 09:24:34 -0400
So what about binding on the domain portion of the reverse lookup? Acomplishes somewhat the same thing, making it harder to steal and re-use a session, without running into the IP address issues. Adam On Thu, Sep 02, 2004 at 09:00:21PM -0500, Bill Marquette wrote: | Forget it if you plan on having users from large ISPs (AOL) using your | application. Further, many corporate environments load balance | outbound browsing. | | --Bill | | On Thu, 2 Sep 2004 14:53:58 +0200, Thomas Schreiber <ts () secure-net de> wrote: | > A question about their experiences to those people that are running web | > applications with the clients ip address bound to the session. I.e. when | > creating a session, the client-ip is stored and then compared with every | > request. Only if the client-ip has not changed, the request is accepted as | > beeing part of the session. | > | > It is common knowledge, that things like loadbalanced proxies, where the ip | > address might change within a running session, interfere with this kind of | > security enhanced session management. | > | > But, how strong is the impact in practice really nowadays? | > | > Is it perhaps exceptable, as it happens only in rare cases? If this is the | > case, one might present the user another login where he can prove his | > identity again and continue with the session. | > | > (It is another story that session-ip-binding wouldn't solve the whole | > problem, as there are several szenarios, where an attacker might use the | > same proxy etc. as the victim...) | > | > | > Thomas Schreiber | > ____________________________________________________________ | > SecureNet GmbH - http://www.securenet.de | > | >
Current thread:
- Re: Session Management and IP address - experiences?, (continued)
- Re: Session Management and IP address - experiences? avarni (Sep 04)
- RE: Session Management and IP address - experiences? Thomas Schreiber (Sep 05)
- Re: Session Management and IP address - experiences? Steven Boone (Sep 02)
- RE: Session Management and IP address - experiences? V. Poddubnyy (Sep 02)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 02)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 04)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 02)
- Re: Session Management and IP address - experiences? Ben Timby (Sep 02)
- Re: Session Management and IP address - experiences? Bill Marquette (Sep 02)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- RE: Session Management and IP address - experiences? Harry Metcalfe (Sep 04)
- Re: Session Management and IP address - experiences? Viktors Rotanovs (Sep 04)
- Re: Session Management and IP address - experiences? Dave Wichers (Sep 02)
- Re: Session Management and IP address - experiences? Saqib . N . Ali (Sep 04)
- RE: Session Management and IP address - experiences? Mike Randall (Sep 02)
- Session Management and IP address - experiences? Thomas Schreiber (Sep 04)
- Re: Session Management and IP address - experiences? focus (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 05)
- SpyWare and HTTP headers Steve McCullough (Sep 06)
- Re: Session Management and IP address - experiences? saphyr (Sep 05)
(Thread continues...)