![webappsec logo](/images/webappsec-logo.png)
WebApp Sec mailing list archives
Re: Session Management and IP address - experiences?
From: "saphyr" <saphyr () infomaniak ch>
Date: Sun, 5 Sep 2004 14:02:20 +0200
Would it be feasable to log the user's IP and their activity on the site into another database table for forensic analysis at a later date, if needed. Instead of binding the IP address to the current session?
Of course it would be possible and is actually very easy. But this is considered as a corrective security measure: it only gets usefull after an attack, as you said, that's doc for the forensics ;) There's a security principle for those measures which is 'preparing yourself to loose whatever you might do'. In our case, we are trying to find 'preventive' measures and not corrective ones: those who prevent successfull attacks against an information system. In conclusion, what you're suggesting is an improvement of the auditing/logging process (which is also among the security principles) which as good as it gets should indeed be implemented when possible ;) .antoine The best practices shoulf
Regards - Keith Roberts my 2cents worth ---------- Forwarded message ---------- To: Thomas Schreiber <ts () secure-net de> From: Ben Timby <asp () webexc com> Subject: Re: Session Management and IP address - experiences? You are forgetting the other case... NAT routers, where a set of users all have the SAME IP address. I have never used this method for the problems that would no doubt ensue. In addition to what you mentioned, AOL, the largest ISP on the planet uses the load balancing proxies, thus AOL users will migrate between IPs, thus losing their session data. Thomas Schreiber wrote:A question about their experiences to those people that are running web applications with the clients ip address bound to the session. I.e. when creating a session, the client-ip is stored and then compared with every request. Only if the client-ip has not changed, the request is accepted as beeing part of the session. It is common knowledge, that things like loadbalanced proxies, where the ip address might change within a running session, interfere with this kind of security enhanced session management. But, how strong is the impact in practice really nowadays? Is it perhaps exceptable, as it happens only in rare cases? If this is the case, one might present the user another login where he can prove his identity again and continue with the session. (It is another story that session-ip-binding wouldn't solve the whole problem, as there are several szenarios, where an attacker might use the same proxy etc. as the victim...) Thomas Schreiber ____________________________________________________________ SecureNet GmbH - http://www.securenet.de
Current thread:
- Re: Session Management and IP address - experiences?, (continued)
- Re: Session Management and IP address - experiences? Bill Marquette (Sep 02)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- RE: Session Management and IP address - experiences? Harry Metcalfe (Sep 04)
- Re: Session Management and IP address - experiences? Viktors Rotanovs (Sep 04)
- Re: Session Management and IP address - experiences? Dave Wichers (Sep 02)
- Re: Session Management and IP address - experiences? Saqib . N . Ali (Sep 04)
- RE: Session Management and IP address - experiences? Mike Randall (Sep 02)
- Session Management and IP address - experiences? Thomas Schreiber (Sep 04)
- Re: Session Management and IP address - experiences? focus (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 05)
- SpyWare and HTTP headers Steve McCullough (Sep 06)
- Re: Session Management and IP address - experiences? saphyr (Sep 05)
- RE: Session Management and IP address - experiences? Fling, Steven (Sep 04)
- re: Session Management and IP address - experiences? eax (Sep 04)
- Re: Session Management and IP address - experiences? Bill Marquette (Sep 02)