Re: Session Fixation

["HarryM" <harrym () the-group org>]

> Actually, I think suggesting to anyone that they invest in half-measures
> when their time can be better spent elsewhere is even more damaging. On
the
> one hand, I can see your argument: it raises the bar ever so slightly,
> which is a good thing. But I don't think it's a good _enough_ thing.
> Consider that most people implementing these systems _aren't_ experts.
They
> understand IP, they understand networking, but they don't really think
> about how to break things, so relying on IP seems "good enough". Giving
the
> un-informed bad choices and telling them to get it right is a receipe for
> disaster if ever I've seen one.

One should never rely on IP for *anything* :-)

I agree, except to say that I wouldn't consider it "investing in half
measures" - at least, not the way I've coded it - since (a) it's one small
measure among many other precautions taken (tamper-proof cookies, detection
of scripted attacks, input validation, account lockouts, and so on) and (b),
at ~5 lines of code, it's not much of an investment!

I very much agree that it should be made known to as many people as possible
that IP, in the context of web services, is unreliable as a means of
identification, as silly as that may sound to the uninitiated, and that it
should never be depended on for anything - least of all security.

HarryM