WebApp Sec mailing list archives
RE: Session Management and IP address - experiences?
From: "Fling, Steven" <sfling () oppenheimerfunds com>
Date: Fri, 3 Sep 2004 09:09:27 -0600
One way to handle this is reactively (monitor and alerting of such activity) vs. proactively (blocking access). With common monitoring tools you can set up rules to alert when a new IP is attempting to access an existing session, but prevent such alerts for know ISPs that utilize IP pooling techniques. Support staff can then apply human intelligence in the moment to determine if access needs to be cut off at the firewall level for the suspect IP. ========================= Steve Fling Manager of External Touchpoints OppenheimerFunds, Inc. 303-768-3200 p 303-768-1096 f sfling () oppenheimerfunds com <mailto:sfling () oppenheimerfunds com> ========================= -----Original Message----- From: David Wall @ Yozons, Inc. [mailto:dwall () yozons com] Sent: Thursday, September 02, 2004 1:40 PM To: webappsec () lists securityfocus com Subject: Re: Session Management and IP address - experiences?
It is common knowledge, that things like loadbalanced proxies, where the
ip
address might change within a running session, interfere with this kind of security enhanced session management.
It's pretty common, especially for those using the biggest ISPs who use these schemes. Most others come from a single proxy or NAT/gw so the IP wouldn't change.
Is it perhaps exceptable, as it happens only in rare cases? If this is the case, one might present the user another login where he can prove his identity again and continue with the session.
But what ACTUAL problem are you trying to avoid? Have you seen someone step in the middle of one of your users activities, steal a session cookie, and then impersonate them? If not, perhaps you are solving problems you don't really have, so why put the headache in for those who will have issues because they are being such proxies?
(It is another story that session-ip-binding wouldn't solve the whole problem, as there are several szenarios, where an attacker might use the same proxy etc. as the victim...)
Exactly, which also leads to the question of why bother? Perhaps if IPv6 ever gets into widespread use (ha ha ha?!) this will be powerful because such proxies may no longer be there. Today, it seems like solving a problem that perhaps doesn't exist. Couple a good session id (random and long) with SSL and you'll find most of your security violations result from bad passwords and social engineering attacks -- they are much easier to hack than stepping in the middle of a session... David ------------------------------------------------------------------------------ This electronic mail transmission may contain confidential information and is intended only for the person(s) named. Any use, copying or disclosure by any other person is strictly prohibited. If you have received this transmission in error, please notify the sender via e-mail. Notice regarding privacy and confidentiality OppenheimerFunds may, at its discretion, monitor and review the content of all email communications. ==============================================================================
Current thread:
- Re: Session Management and IP address - experiences?, (continued)
- Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- RE: Session Management and IP address - experiences? Harry Metcalfe (Sep 04)
- Re: Session Management and IP address - experiences? Viktors Rotanovs (Sep 04)
- Re: Session Management and IP address - experiences? Dave Wichers (Sep 02)
- Re: Session Management and IP address - experiences? Saqib . N . Ali (Sep 04)
- RE: Session Management and IP address - experiences? Mike Randall (Sep 02)
- Session Management and IP address - experiences? Thomas Schreiber (Sep 04)
- Re: Session Management and IP address - experiences? focus (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 05)
- SpyWare and HTTP headers Steve McCullough (Sep 06)
- Re: Session Management and IP address - experiences? saphyr (Sep 05)
- RE: Session Management and IP address - experiences? Fling, Steven (Sep 04)
- re: Session Management and IP address - experiences? eax (Sep 04)