Re: Session Fixation

[Alex Russell <alex () netWindows org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 31 March 2003 12:17 pm, HarryM wrote:
> > "binding" some session identifier to an IP address is not only
> > innefectual, it provides a false sense of security.
>
> I'm not sure that's entirely accurate. Checking the IP of the client
> against the IP the session was started with on each page request does
> provide some measure of protection against a malicious user hijacking an
> active session - I've implemented just that on my last project - that
> said, the project in question was not intended to work through proxies
> (Access over a proxy was disallowed in the AUP) and we didn't really care
> about AOL users.

Ok, so you've mitigated some of the risks of relying on IP addrs with 
procedrual and policy protections, which just goes to show that you can't 
rely on IPs. Heh.

> I agree that for a public system intended to work with as many ISPs and
> system configurations as possible, binding an IP to a session is probably
> futile, and to name it as an additional security feature is certainly
> misleading, but to discount it entirely as a useful precaution is unwise.

Actually, I think suggesting to anyone that they invest in half-measures 
when their time can be better spent elsewhere is even more damaging. On the 
one hand, I can see your argument: it raises the bar ever so slightly, 
which is a good thing. But I don't think it's a good _enough_ thing. 
Consider that most people implementing these systems _aren't_ experts. They 
understand IP, they understand networking, but they don't really think 
about how to break things, so relying on IP seems "good enough". Giving the 
un-informed bad choices and telling them to get it right is a receipe for 
disaster if ever I've seen one.

So I stand by my opinion, if only because it leaves much less room for 
confusion among those who don't really grok all the complexities you seem 
willing to deal with, and because it matches the reality of truly 
untrustable networks. I find it much better to recommend things that work, 
are strong, and can address the core issues of session management rather 
than to hem and haw about the "nice to have" things that could possibly, 
sometimes, maybe provide some protection.

IP "locking" provides very little benefit for lots of tail chasing, and it 
distracts newbie security developers from much more pressing problem and 
much better solutions. For those reasons, I continue to give it a big 
thumbs down.

- -- 
Alex Russell
alex () netWindows org
alex () SecurePipe com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+iK8hoV0dQ6uSmkYRAtVHAJ960aq8OW9kWIYwR439WH/I4Ga3bQCfSt7v
macQFkPSA2tHb9KfxWHioNI=
=xfF3
-----END PGP SIGNATURE-----