WebApp Sec mailing list archives
Re: Session Management and IP address - experiences?
From: avarni () tech cj com
Date: Fri, 3 Sep 2004 10:14:20 -0700 (PDT)
On Thu, 2 Sep 2004, David Wall @ Yozons, Inc. wrote:
Is it perhaps exceptable, as it happens only in rare cases? If this is the case, one might present the user another login where he can prove his identity again and continue with the session.But what ACTUAL problem are you trying to avoid? Have you seen someone step in the middle of one of your users activities, steal a session cookie, and then impersonate them? If not, perhaps you are solving problems you don't really have, so why put the headache in for those who will have issues because they are being such proxies?
Well, take this example: Attacker exploits an XSS problem somewhere in your web-app. Member logs in, triggers the XSS, at which point attacker instantly gains access to that member's account. If it were safe to bind an IP address to a session (which I don't think it is), it would make the attack a lot more difficult. And yes, I've seen this done a few times.
Current thread:
- Session Management and IP address - experiences? Thomas Schreiber (Sep 02)
- Re: Session Management and IP address - experiences? David Wall @ Yozons, Inc. (Sep 02)
- Re: Session Management and IP address - experiences? avarni (Sep 04)
- RE: Session Management and IP address - experiences? Thomas Schreiber (Sep 05)
- Re: Session Management and IP address - experiences? Steven Boone (Sep 02)
- RE: Session Management and IP address - experiences? V. Poddubnyy (Sep 02)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 02)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 04)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 02)
- Re: Session Management and IP address - experiences? Ben Timby (Sep 02)
- Re: Session Management and IP address - experiences? Bill Marquette (Sep 02)
- Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
(Thread continues...)
- Re: Session Management and IP address - experiences? David Wall @ Yozons, Inc. (Sep 02)