WebApp Sec mailing list archives
Re: Session Management and IP address - experiences?
From: Steven Boone <sboone () pyrontechnologies com>
Date: Thu, 02 Sep 2004 11:56:49 -0600
The thing is that a lot of larger ISPs (AOL for example) use load balancing proxies and thus make it difficult lock the IP to the session. In this situation, it would be cumbersome at best to provide a a login each time the IP address changed because the IP could in theory change with every request, forcing the user to login every time they request a new page. I think that this kind of session management would possibly work well with corporate and intranet systems and such where you know what IP addresses should be connecting to a site, but for a general website, I do not think that associating IP address to the session is a very practical idea. On Thu, 2004-09-02 at 06:53, Thomas Schreiber wrote:
A question about their experiences to those people that are running web applications with the clients ip address bound to the session. I.e. when creating a session, the client-ip is stored and then compared with every request. Only if the client-ip has not changed, the request is accepted as beeing part of the session. It is common knowledge, that things like loadbalanced proxies, where the ip address might change within a running session, interfere with this kind of security enhanced session management. But, how strong is the impact in practice really nowadays? Is it perhaps exceptable, as it happens only in rare cases? If this is the case, one might present the user another login where he can prove his identity again and continue with the session. (It is another story that session-ip-binding wouldn't solve the whole problem, as there are several szenarios, where an attacker might use the same proxy etc. as the victim...) Thomas Schreiber ____________________________________________________________ SecureNet GmbH - http://www.securenet.de
-- **************************************** Steven Boone
Current thread:
- Session Management and IP address - experiences? Thomas Schreiber (Sep 02)
- Re: Session Management and IP address - experiences? David Wall @ Yozons, Inc. (Sep 02)
- Re: Session Management and IP address - experiences? avarni (Sep 04)
- RE: Session Management and IP address - experiences? Thomas Schreiber (Sep 05)
- Re: Session Management and IP address - experiences? Steven Boone (Sep 02)
- RE: Session Management and IP address - experiences? V. Poddubnyy (Sep 02)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 02)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 04)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 02)
- Re: Session Management and IP address - experiences? Ben Timby (Sep 02)
- Re: Session Management and IP address - experiences? Bill Marquette (Sep 02)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- RE: Session Management and IP address - experiences? Harry Metcalfe (Sep 04)
(Thread continues...)
- Re: Session Management and IP address - experiences? David Wall @ Yozons, Inc. (Sep 02)