Re: Session Management and IP address - experiences?

["saphyr" <saphyr () infomaniak ch>]

> It is common knowledge, that things like loadbalanced proxies, where the ip
> address might change within a running session, interfere with this kind of
> security enhanced session management.
>
> But, how strong is the impact in practice really nowadays?

Hi Thomas, 

I agree with your concern: how deep is the impact of implementing such a 
feature like ip-address-session-binding. 

In my case, I force this binding. If a session-assigned ip address is changed
during the session, I destroy it and re-ask the user for credentials. 

I guess the most accurate feedback might be coming from customers 
being effectively disconnected while browsing the webapp, but 'til now, 
I never heard of anyone being hurt by that feature.

One fact which might be taken in account is your 'targeted audience'. 
In my case, it'd be uncommon to see people coming from hudge ISP's
like AOL for example. Such proxies are not (yet) commonly used by
Swiss of even French Internet providers. 

Finally, what is your concern: being able to ensure protection against
session hijacking/spoofing or improving a little your visitor's comfort ? ; ) 

,my 2 cents. antoine