Re: Session Management and IP address - experiences?

[focus () karsites net]

Would it be feasable to log the user's IP and their activity
on the site into another database table for forensic
analysis at a later date, if needed. Instead of binding the
IP address to the current session?

Regards - Keith Roberts

my 2cents worth

---------- Forwarded message ----------
To: Thomas Schreiber <ts () secure-net de>
From: Ben Timby <asp () webexc com>
Subject: Re: Session Management and IP address - experiences?

You are forgetting the other case...

NAT routers, where a set of users all have the SAME IP address.

I have never used this method for the problems that would no doubt ensue.

In addition to what you mentioned, AOL, the largest ISP on the planet
uses the load balancing proxies, thus AOL users will migrate between
IPs, thus losing their session data.

Thomas Schreiber wrote:

> A question about their experiences to those people that are running web
> applications with the clients ip address bound to the session. I.e. when
> creating a session, the client-ip is stored and then compared with every
> request. Only if the client-ip has not changed, the request is accepted as
> beeing part of the session.
>
> It is common knowledge, that things like loadbalanced proxies, where the ip
> address might change within a running session, interfere with this kind of
> security enhanced session management.
>
> But, how strong is the impact in practice really nowadays?
>
> Is it perhaps exceptable, as it happens only in rare cases? If this is the
> case, one might present the user another login where he can prove his
> identity again and continue with the session.
>
> (It is another story that session-ip-binding wouldn't solve the whole
> problem, as there are several szenarios, where an attacker might use the
> same proxy etc. as the victim...)
>
>
> Thomas Schreiber
> ____________________________________________________________
> SecureNet GmbH - http://www.securenet.de