WebApp Sec mailing list archives
Re: Session Management and IP address - experiences?
From: "saphyr" <saphyr () infomaniak ch>
Date: Thu, 2 Sep 2004 22:24:47 +0200
It is common knowledge, that things like loadbalanced proxies, where the ip address might change within a running session, interfere with this kind of security enhanced session management. But, how strong is the impact in practice really nowadays?
Hi Thomas, I agree with your concern: how deep is the impact of implementing such a feature like ip-address-session-binding. In my case, I force this binding. If a session-assigned ip address is changed during the session, I destroy it and re-ask the user for credentials. I guess the most accurate feedback might be coming from customers being effectively disconnected while browsing the webapp, but 'til now, I never heard of anyone being hurt by that feature. One fact which might be taken in account is your 'targeted audience'. In my case, it'd be uncommon to see people coming from hudge ISP's like AOL for example. Such proxies are not (yet) commonly used by Swiss of even French Internet providers. Finally, what is your concern: being able to ensure protection against session hijacking/spoofing or improving a little your visitor's comfort ? ; ) ,my 2 cents. antoine
Current thread:
- Session Management and IP address - experiences? Thomas Schreiber (Sep 02)
- Re: Session Management and IP address - experiences? David Wall @ Yozons, Inc. (Sep 02)
- Re: Session Management and IP address - experiences? avarni (Sep 04)
- RE: Session Management and IP address - experiences? Thomas Schreiber (Sep 05)
- Re: Session Management and IP address - experiences? Steven Boone (Sep 02)
- RE: Session Management and IP address - experiences? V. Poddubnyy (Sep 02)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 02)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 04)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 02)
- Re: Session Management and IP address - experiences? Ben Timby (Sep 02)
- Re: Session Management and IP address - experiences? Bill Marquette (Sep 02)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- RE: Session Management and IP address - experiences? Harry Metcalfe (Sep 04)
- Re: Session Management and IP address - experiences? Viktors Rotanovs (Sep 04)
- <Possible follow-ups>
- Re: Session Management and IP address - experiences? Dave Wichers (Sep 02)
- Re: Session Management and IP address - experiences? Saqib . N . Ali (Sep 04)
- RE: Session Management and IP address - experiences? Mike Randall (Sep 02)
- Session Management and IP address - experiences? Thomas Schreiber (Sep 04)
(Thread continues...)
- Re: Session Management and IP address - experiences? David Wall @ Yozons, Inc. (Sep 02)