Re: Tying a session to an IP address

[Chris Burton <cyberhiker99 () yahoo com>]

I would first ask if you are running IIS as your web
server.  That is easy, and it does what you want
restricting it to a single IP, subnet, or via reverse
lookup.

If not IIS then perhaps with a firewall rule.

I have seen this done as a poorman's
extranet/intranet.

Regards,
Chris


--- Paul Johnston <paul () westpoint ltd uk> wrote:
> Hi,
>
> I'm interested in the merits of restricting a
> session to an IP address. 
> I realise this isn't great security as often many
> users will appear to 
> come from the same IP address (NAT, proxies, etc.)
> However, if you 
> consider the case where an attacker uses an XSS
> vulnerability to steal 
> the session ID, then the IP address restriction
> raises the bar 
> considerably for an arbitrary remote attacker to
> exploit this. I'm 
> worried that the IP address restriction wouldn't
> work for all users - 
> e.g. if their ISP uses load-balanced web caches.
> Does anyone know how 
> common such arrangements are in practice? Perhaps
> something to be done 
> then is just check the top 16 bits of the IP
> address. This is likely to 
> work for all such network arrangements and still
> raises the bar a lot 
> for remote attacks.
>
> Does anyone here already restrict sessions by IP
> address?
>
> Regards,
>
> Paul
>
> -- 
> Paul Johnston
> Internet Security Specialist
> Westpoint Limited
> Albion Wharf, 19 Albion Street,
> Manchester, M1 5LN
> England
> Tel: +44 (0)161 237 1028
> Fax: +44 (0)161 237 1031
> email: paul () westpoint ltd uk
> web: www.westpoint.ltd.uk