RE: Tying a session to an IP address

["Mike Randall" <mrandall () ajla net>]

The application I'm now working on requires users to reauthenticate if
their IP address changes in mid-session.  Their session then resumes
where they left off.   Since some users on dial-up can switch IPs
frequently, we set it up so that they must reauthenticate once per IP
address.  So, if they bounce back and forth among 4 IP addresses in a
session, they must authenticate only 4 times, instead of each time their
IP switches.

Mike Randall
APA IV, Web Developer
AJLA-TS, KDHR
Email: mrandall () ajla net

-----Original Message-----
From: Paul Johnston [mailto:paul () westpoint ltd uk] 
Sent: Monday, May 10, 2004 8:14 AM
To: webappsec () securityfocus com
Subject: Tying a session to an IP address

Hi,

I'm interested in the merits of restricting a session to an IP address. 
I realise this isn't great security as often many users will appear to
come from the same IP address (NAT, proxies, etc.) However, if you
consider the case where an attacker uses an XSS vulnerability to steal
the session ID, then the IP address restriction raises the bar
considerably for an arbitrary remote attacker to exploit this. I'm
worried that the IP address restriction wouldn't work for all users -
e.g. if their ISP uses load-balanced web caches. Does anyone know how
common such arrangements are in practice? Perhaps something to be done
then is just check the top 16 bits of the IP address. This is likely to
work for all such network arrangements and still raises the bar a lot
for remote attacks.

Does anyone here already restrict sessions by IP address?

Regards,

Paul

--
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk