Re: Session Management and IP address - experiences?

[Jeremiah Grossman <jeremiah () whitehatsec com>]

On Thursday, September 2, 2004, at 08:53  PM, Frank Knobbe wrote:

> On Thu, 2004-09-02 at 13:17, Jeremiah Grossman wrote:
> > For myself, I'm a proponent of ip-binding sessions when appropriate. 
> > It
> > makes the wall just a little bit higher.
>
> What do you consider appropriate?


Thats the big question. Its going to be different for each web site and 
it probably would be difficult to define for everybody as a baseline.

I would approach feasibility by overlaying the ip-binding feature onto 
the session management system. When/If a user's ip does change during a 
session, do not invalidate the session or require password 
re-verification. Instead log this event (time, date, ip, user, etc. ) 
for several weeks to later analyze.

Analysis will show the percentage of user's who jump IP's and also how 
often they do so during the session. Specific to this particular web 
site. You'd then have the information required to make an educated 
business decision between security vs. convenience and hence, 
appropriateness.

If you feel the percentage of user's who jump ip's is too high and 
would cause unacceptable inconvenience, then you know this solution is 
not for this web site. Same hold true for how many times they jump ip's 
during the session. Or perhaps the percentage is so low that the only 
people who would notice would be intruders.

Hope this helps.


Regards,

Jeremiah