Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Session Management and IP address - experiences?
From: Adam Shostack (adamhomeport.org)
Date: Fri Sep 03 2004 - 08:24:34 CDT
So what about binding on the domain portion of the reverse lookup?
Acomplishes somewhat the same thing, making it harder to steal and
re-use a session, without running into the IP address issues.
On Thu, Sep 02, 2004 at 09:00:21PM -0500, Bill Marquette wrote:
| Forget it if you plan on having users from large ISPs (AOL) using your
| application. Further, many corporate environments load balance
| outbound browsing.
| On Thu, 2 Sep 2004 14:53:58 +0200, Thomas Schreiber <tssecure-net.de> wrote:
| > A question about their experiences to those people that are running web
| > applications with the clients ip address bound to the session. I.e. when
| > creating a session, the client-ip is stored and then compared with every
| > request. Only if the client-ip has not changed, the request is accepted as
| > beeing part of the session.
| > It is common knowledge, that things like loadbalanced proxies, where the ip
| > address might change within a running session, interfere with this kind of
| > security enhanced session management.
| > But, how strong is the impact in practice really nowadays?
| > Is it perhaps exceptable, as it happens only in rare cases? If this is the
| > case, one might present the user another login where he can prove his
| > identity again and continue with the session.
| > (It is another story that session-ip-binding wouldn't solve the whole
| > problem, as there are several szenarios, where an attacker might use the
| > same proxy etc. as the victim...)
| > Thomas Schreiber
| > ____________________________________________________________
| > SecureNet GmbH - http://www.securenet.de