Re: Session Management and IP address - experiences?

[Jeremiah Grossman <jeremiah () whitehatsec com>]

I've witnessed tests of ip-bound sessions on both large and small 
(user-base) public web sites.  As expected, the more unique users on 
the web site the more problems with users spontaneously jumping IP's 
and causing problems.

On larger user-base web sites, the number of problems caused (and cost) 
outweighed the security benefits. On the smaller user-base web sites, 
session re-verification using a password was tolerable enough to 
utilize. Also, using only a portion of the IP address helped as well.

For myself, I'm a proponent of ip-binding sessions when appropriate. It 
makes the wall just a little bit higher.


Regards,

Jeremiah-





On Thursday, September 2, 2004, at 05:53  AM, Thomas Schreiber wrote:

> A question about their experiences to those people that are running web
> applications with the clients ip address bound to the session. I.e. 
> when
> creating a session, the client-ip is stored and then compared with 
> every
> request. Only if the client-ip has not changed, the request is 
> accepted as
> beeing part of the session.
>
> It is common knowledge, that things like loadbalanced proxies, where 
> the ip
> address might change within a running session, interfere with this 
> kind of
> security enhanced session management.
>
> But, how strong is the impact in practice really nowadays?
>
> Is it perhaps exceptable, as it happens only in rare cases? If this is 
> the
> case, one might present the user another login where he can prove his
> identity again and continue with the session.
>
> (It is another story that session-ip-binding wouldn't solve the whole
> problem, as there are several szenarios, where an attacker might use 
> the
> same proxy etc. as the victim...)
>
>
> Thomas Schreiber
> ____________________________________________________________
> SecureNet GmbH - http://www.securenet.de