WebApp Sec mailing list archives
Re: Session Fixation
From: "HarryM" <harrym () the-group org>
Date: Mon, 31 Mar 2003 19:17:12 +0100
This topic has been discussed at length on this list, and every time it
is,
the consensus is reached that "binding" some session identifier to an IP address is not only innefectual, it provides a false sense of security.
I'm not sure that's entirely accurate. Checking the IP of the client against the IP the session was started with on each page request does provide some measure of protection against a malicious user hijacking an active session - I've implemented just that on my last project - that said, the project in question was not intended to work through proxies (Access over a proxy was disallowed in the AUP) and we didn't really care about AOL users. I agree that for a public system intended to work with as many ISPs and system configurations as possible, binding an IP to a session is probably futile, and to name it as an additional security feature is certainly misleading, but to discount it entirely as a useful precaution is unwise. The implementation of the system this way does confirm what Gary posted earlier in the thread, though - Oftentimes the sessions of legitimate users are invalidated because of this, but again, this is something we're willing to live with. HarryM
Current thread:
- Session Fixation St. Clair, James (Mar 25)
- Re: Session Fixation Gary Gwin (Mar 27)
- <Possible follow-ups>
- RE: Session Fixation Mark Mcdonald (Mar 27)
- RE: Session Fixation Information Security (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation HarryM (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation HarryM (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)