WebApp Sec mailing list archives
RE: state management by client IP address for Web App Sessions
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Fri, 25 Feb 2005 16:50:46 -0600
Hey, thanks all for feedback. I clearly worded this wrong in haste. My concern is state management. I finishing a whitepaper on state and session management and it just hit me that the metrics I'm going on are a biased sample (US, Canadian, and small European sample from specific Western countries). I'm not concerned with percentage of same-source. Obviously that's what rfc-reserved space + NAT results in. I was curious how common user Abba from src 127.0.0.1 all of a sudden switches to src 127.0.0.1, or even 128.0.0.1. There are certain ISPs (AOL being the most guilty) that do this. In the US, if you build a webapp that services a client population coming from ISPs that do this, you absolutely cannot track/ validate/session handle based upon src IP. I am presenting some of the results of this at Black Hat Europe and some at OWASP 2005 in London, and thought that before I speak like a provincial fool I should see if this phenomena holds true in other countries, particularly Asia, Eastern Europe, and other emerging markets like South America. Thanks for the feedback, any more related to IP src changes (not many-to-one NAT) mid-session from different parts of the world is appreciated. Arian Evans Sr. Security Engineer FishNet Security KC Office: 816.421.6611 Direct: 816.701.2045 Toll Free: 888.732.9406 Fax: 816.474.0394 http://www.fishnetsecurity.com
Current thread:
- RE: state management by client IP address for Web App Sessions Evans, Arian (Feb 28)