WebApp Sec mailing list archives
Re: Session Fixation
From: Alex Russell <alex () netWindows org>
Date: Mon, 31 Mar 2003 15:12:01 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 31 March 2003 12:17 pm, HarryM wrote:
"binding" some session identifier to an IP address is not only innefectual, it provides a false sense of security.I'm not sure that's entirely accurate. Checking the IP of the client against the IP the session was started with on each page request does provide some measure of protection against a malicious user hijacking an active session - I've implemented just that on my last project - that said, the project in question was not intended to work through proxies (Access over a proxy was disallowed in the AUP) and we didn't really care about AOL users.
Ok, so you've mitigated some of the risks of relying on IP addrs with procedrual and policy protections, which just goes to show that you can't rely on IPs. Heh.
I agree that for a public system intended to work with as many ISPs and system configurations as possible, binding an IP to a session is probably futile, and to name it as an additional security feature is certainly misleading, but to discount it entirely as a useful precaution is unwise.
Actually, I think suggesting to anyone that they invest in half-measures when their time can be better spent elsewhere is even more damaging. On the one hand, I can see your argument: it raises the bar ever so slightly, which is a good thing. But I don't think it's a good _enough_ thing. Consider that most people implementing these systems _aren't_ experts. They understand IP, they understand networking, but they don't really think about how to break things, so relying on IP seems "good enough". Giving the un-informed bad choices and telling them to get it right is a receipe for disaster if ever I've seen one. So I stand by my opinion, if only because it leaves much less room for confusion among those who don't really grok all the complexities you seem willing to deal with, and because it matches the reality of truly untrustable networks. I find it much better to recommend things that work, are strong, and can address the core issues of session management rather than to hem and haw about the "nice to have" things that could possibly, sometimes, maybe provide some protection. IP "locking" provides very little benefit for lots of tail chasing, and it distracts newbie security developers from much more pressing problem and much better solutions. For those reasons, I continue to give it a big thumbs down. - -- Alex Russell alex () netWindows org alex () SecurePipe com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+iK8hoV0dQ6uSmkYRAtVHAJ960aq8OW9kWIYwR439WH/I4Ga3bQCfSt7v macQFkPSA2tHb9KfxWHioNI= =xfF3 -----END PGP SIGNATURE-----
Current thread:
- Session Fixation St. Clair, James (Mar 25)
- Re: Session Fixation Gary Gwin (Mar 27)
- <Possible follow-ups>
- RE: Session Fixation Mark Mcdonald (Mar 27)
- RE: Session Fixation Information Security (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation HarryM (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation HarryM (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)
- Re: Session Fixation Alex Russell (Mar 31)