WebApp Sec mailing list archives

Re: Session Management and IP address - experiences?

From: Viktors Rotanovs <Viktors () Rotanovs com>
Date: Sun, 05 Sep 2004 04:55:20 +0300

Thomas Schreiber wrote:

> A question about their experiences to those people that are running web
> applications with the clients ip address bound to the session.

From my experience, binding session to first two octets of IP addressis safe, and adding HttpOnly to session cookie solves a problem when badjavascripts steal session cookies.

For more info about HttpOnly:
http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp

AFAIK HttpOnly is supported in MSIE, Mozilla/Firefox and Konqueror (andprobably others).

I've also written HttpOnly patch for PHP4:
http://rotanovs.com/php-session-httponly.patch

To enable HttpOnly support, apply this patch and add this string to yourphp.ini:

session.cookie_httponly = 1

Best Wishes,
Viktors

Current thread:

RE: Session Management and IP address - experiences?, (continued)
- RE: Session Management and IP address - experiences? V. Poddubnyy (Sep 02)
- Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 02)
  - Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
    - Re: Session Management and IP address - experiences? Jeremiah Grossman (Sep 04)
- Re: Session Management and IP address - experiences? saphyr (Sep 02)
- Re: Session Management and IP address - experiences? Ben Timby (Sep 02)
- Re: Session Management and IP address - experiences? Bill Marquette (Sep 02)
  - Re: Session Management and IP address - experiences? Adam Shostack (Sep 05)
    - Re: Session Management and IP address - experiences? Frank Knobbe (Sep 04)
- RE: Session Management and IP address - experiences? Harry Metcalfe (Sep 04)
- Re: Session Management and IP address - experiences? Viktors Rotanovs (Sep 04)
- Re: Session Management and IP address - experiences? Dave Wichers (Sep 02)
  - Re: Session Management and IP address - experiences? Saqib . N . Ali (Sep 04)
- RE: Session Management and IP address - experiences? Mike Randall (Sep 02)
- Session Management and IP address - experiences? Thomas Schreiber (Sep 04)
- Re: Session Management and IP address - experiences? focus (Sep 04)
  - Re: Session Management and IP address - experiences? saphyr (Sep 05)
    - SpyWare and HTTP headers Steve McCullough (Sep 06)
- RE: Session Management and IP address - experiences? Fling, Steven (Sep 04)
- re: Session Management and IP address - experiences? eax (Sep 04)