WebApp Sec mailing list archives
Re: Session Management and IP address - experiences?
From: "Dave Wichers" <dave.wichers () aspectsecurity com>
Date: Thu, 2 Sep 2004 13:47:18 -0400
I have heard, but not experienced directly, that the impact on this idea is very high. AOL users are used as the classic example. If you do this, and your users are coming from the general internet, including AOL, then many such users will be unable to use your site. As such, we have been recommending against this practice for many years unless it is done in a controlled (i.e., intranet) environment where none of the users exhibit this type of behavior. -Dave Dave Wichers - CISSP, CISM Chief Operating Officer dave.wichers () aspectsecurity com (301) 604-4882 x15 (main) (443) 745-6268 (cell) Aspect SecurityT Securing your applications at the source http://www.aspectsecurity.com ----- Original Message ----- From: Thomas Schreiber To: webappsec () lists securityfocus com Sent: Thursday, September 02, 2004 8:53 AM Subject: Session Management and IP address - experiences? A question about their experiences to those people that are running web applications with the clients ip address bound to the session. I.e. when creating a session, the client-ip is stored and then compared with every request. Only if the client-ip has not changed, the request is accepted as beeing part of the session. It is common knowledge, that things like loadbalanced proxies, where the ip address might change within a running session, interfere with this kind of security enhanced session management. But, how strong is the impact in practice really nowadays? Is it perhaps exceptable, as it happens only in rare cases? If this is the case, one might present the user another login where he can prove his identity again and continue with the session. (It is another story that session-ip-binding wouldn't solve the whole problem, as there are several szenarios, where an attacker might use the same proxy etc. as the victim...) Thomas Schreiber ____________________________________________________________ SecureNet GmbH - http://www.securenet.de
Current thread:
- Re: Session Management and IP address - experiences?, (continued)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 02)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 04)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 02)
- Re: Session Management and IP address - experiences? Ben Timby (Sep 02)
- Re: Session Management and IP address - experiences? Bill Marquette (Sep 02)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- RE: Session Management and IP address - experiences? Harry Metcalfe (Sep 04)
- Re: Session Management and IP address - experiences? Viktors Rotanovs (Sep 04)
- Re: Session Management and IP address - experiences? Dave Wichers (Sep 02)
- Re: Session Management and IP address - experiences? Saqib . N . Ali (Sep 04)
- RE: Session Management and IP address - experiences? Mike Randall (Sep 02)
- Session Management and IP address - experiences? Thomas Schreiber (Sep 04)
- Re: Session Management and IP address - experiences? focus (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 05)
- SpyWare and HTTP headers Steve McCullough (Sep 06)
- Re: Session Management and IP address - experiences? saphyr (Sep 05)
- RE: Session Management and IP address - experiences? Fling, Steven (Sep 04)
- re: Session Management and IP address - experiences? eax (Sep 04)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 02)