Re: Session Management and IP address - experiences?

[Frank Knobbe <frank () knobbe us>]

On Fri, 2004-09-03 at 08:24, Adam Shostack wrote:
> So what about binding on the domain portion of the reverse lookup?
>
> Acomplishes somewhat the same thing, making it harder to steal and
> re-use a session, without running into the IP address issues.

If a reverse name is available. Sometimes (often?) it is not.

Plus, where do limit your filter? On the isp.tld domain? On isp.tld plus
one sub domain? On n-1 domains? (i.e. xxx.locality.area.isp.tld)

If you limit it to a domain, what prevents the attacker from coming from
the same domain? (i.a. aol.com)

Is raising the bar a minimal (insignificant in my opinion) amount higher
worth all this effort? Wouldn't it be more appropriate to put all that
energy into other, more sane security improvements? (such as secure
session/page-view chaining)


Here is another thing to consider. All these web application
implementing IP binding attempts will have to be redone once IPv6
arrives at the door. Imho it would be more appropriate to implement
mechanisms that are transparent to the network layer and only perform at
the application layer. (again, session chain verification comes to mind)

Just some thoughts :)

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part