Re: Session Management and IP address - experiences?

[avarni () tech cj com]

On Thu, 2 Sep 2004, David Wall @ Yozons, Inc. wrote:

> > Is it perhaps exceptable, as it happens only in rare cases? If this is the
> > case, one might present the user another login where he can prove his
> > identity again and continue with the session.
>
> But what ACTUAL problem are you trying to avoid?  Have you seen someone step
> in the middle of one of your users activities, steal a session cookie, and
> then impersonate them?  If not, perhaps you are solving problems you don't
> really have, so why put the headache in for those who will have issues
> because they are being such proxies?

Well, take this example:

Attacker exploits an XSS problem somewhere in your web-app. Member logs
in, triggers the XSS, at which point attacker instantly gains access
to that member's account.  If it were safe to bind an IP address to
a session (which I don't think it is), it would make the attack a lot
more difficult.

And yes, I've seen this done a few times.