Re: Session Management and IP address - experiences?

["saphyr" <saphyr () infomaniak ch>]

> Would it be feasable to log the user's IP and their activity
> on the site into another database table for forensic
> analysis at a later date, if needed. Instead of binding the
> IP address to the current session?

Of course it would be possible and is actually very easy. But 
this is considered as a corrective security measure: it only gets
usefull after an attack, as you said, that's doc for the forensics ;)

There's a security principle for those measures which is 'preparing
yourself to loose whatever you might do'. 

In our case, we are trying to find 'preventive' measures and not
corrective ones: those who prevent successfull attacks against
an information system.

In conclusion, what you're suggesting is an improvement of the
auditing/logging process (which is also among the security 
principles) which as good as it gets should indeed be implemented
when possible ;)

.antoine

The best practices shoulf
> Regards - Keith Roberts
>
> my 2cents worth
>
> ---------- Forwarded message ----------
> To: Thomas Schreiber <ts () secure-net de>
> From: Ben Timby <asp () webexc com>
> Subject: Re: Session Management and IP address - experiences?
>
> You are forgetting the other case...
>
> NAT routers, where a set of users all have the SAME IP address.
>
> I have never used this method for the problems that would no doubt ensue.
>
> In addition to what you mentioned, AOL, the largest ISP on the planet
> uses the load balancing proxies, thus AOL users will migrate between
> IPs, thus losing their session data.
>
> Thomas Schreiber wrote:
>
> > A question about their experiences to those people that are running web
> > applications with the clients ip address bound to the session. I.e. when
> > creating a session, the client-ip is stored and then compared with every
> > request. Only if the client-ip has not changed, the request is accepted as
> > beeing part of the session.
> >
> > It is common knowledge, that things like loadbalanced proxies, where the ip
> > address might change within a running session, interfere with this kind of
> > security enhanced session management.
> >
> > But, how strong is the impact in practice really nowadays?
> >
> > Is it perhaps exceptable, as it happens only in rare cases? If this is the
> > case, one might present the user another login where he can prove his
> > identity again and continue with the session.
> >
> > (It is another story that session-ip-binding wouldn't solve the whole
> > problem, as there are several szenarios, where an attacker might use the
> > same proxy etc. as the victim...)
> >
> >
> > Thomas Schreiber
> > ____________________________________________________________
> > SecureNet GmbH - http://www.securenet.de