Re: Session Fixation

["HarryM" <harrym () the-group org>]

> This topic has been discussed at length on this list, and every time it
is,
> the consensus is reached that "binding" some session identifier to an IP
> address is not only innefectual, it provides a false sense of security.

I'm not sure that's entirely accurate. Checking the IP of the client against
the IP the session was started with on each page request does provide some
measure of protection against a malicious user hijacking an active session -
I've implemented just that on my last project - that said, the project in
question was not intended to work through proxies (Access over a proxy was
disallowed in the AUP) and we didn't really care about AOL users.

I agree that for a public system intended to work with as many ISPs and
system configurations as possible, binding an IP to a session is probably
futile, and to name it as an additional security feature is certainly
misleading, but to discount it entirely as a useful precaution is unwise.

The implementation of the system this way does confirm what Gary posted
earlier in the thread, though - Oftentimes the sessions of legitimate users
are invalidated because of this, but again, this is something we're willing
to live with.

HarryM