WebApp Sec mailing list archives
Re: Session Management and IP address - experiences?
From: Frank Knobbe <frank () knobbe us>
Date: Sat, 04 Sep 2004 13:46:32 -0500
On Fri, 2004-09-03 at 08:24, Adam Shostack wrote:
So what about binding on the domain portion of the reverse lookup? Acomplishes somewhat the same thing, making it harder to steal and re-use a session, without running into the IP address issues.
If a reverse name is available. Sometimes (often?) it is not. Plus, where do limit your filter? On the isp.tld domain? On isp.tld plus one sub domain? On n-1 domains? (i.e. xxx.locality.area.isp.tld) If you limit it to a domain, what prevents the attacker from coming from the same domain? (i.a. aol.com) Is raising the bar a minimal (insignificant in my opinion) amount higher worth all this effort? Wouldn't it be more appropriate to put all that energy into other, more sane security improvements? (such as secure session/page-view chaining) Here is another thing to consider. All these web application implementing IP binding attempts will have to be redone once IPv6 arrives at the door. Imho it would be more appropriate to implement mechanisms that are transparent to the network layer and only perform at the application layer. (again, session chain verification comes to mind) Just some thoughts :) Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: Session Management and IP address - experiences?, (continued)
- RE: Session Management and IP address - experiences? Thomas Schreiber (Sep 05)
- Re: Session Management and IP address - experiences? Steven Boone (Sep 02)
- RE: Session Management and IP address - experiences? V. Poddubnyy (Sep 02)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 02)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 04)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 02)
- Re: Session Management and IP address - experiences? Ben Timby (Sep 02)
- Re: Session Management and IP address - experiences? Bill Marquette (Sep 02)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
- RE: Session Management and IP address - experiences? Harry Metcalfe (Sep 04)
- Re: Session Management and IP address - experiences? Viktors Rotanovs (Sep 04)
- Re: Session Management and IP address - experiences? Dave Wichers (Sep 02)
- Re: Session Management and IP address - experiences? Saqib . N . Ali (Sep 04)
- RE: Session Management and IP address - experiences? Mike Randall (Sep 02)
- Session Management and IP address - experiences? Thomas Schreiber (Sep 04)
- Re: Session Management and IP address - experiences? focus (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 05)
- SpyWare and HTTP headers Steve McCullough (Sep 06)
- Re: Session Management and IP address - experiences? saphyr (Sep 05)
- RE: Session Management and IP address - experiences? Fling, Steven (Sep 04)
(Thread continues...)