[WEB SECURITY] tying sessions to IP addresses

Brian Eaton eaton.lists at gmail.com
Fri Jun 9 09:57:44 EDT 2006


Does anyone have some experience with systems that defend against
theft of session cookies by verifying that the IP address that uses a
session is the same one that initiated the session?

These are the problems with the technique that I'm aware of.

- many clients can share a single IP address, e.g. a proxy.  (For
example: http://webmaster.info.aol.com/proxyinfo.html)

- a single client can change an IP address.  (For example:
http://vegan.net/lb/archive/08-2004/0109.html)

- a vulnerability that allows cookie theft can frequently be used for
attacks other than cookie theft, such as forcing the victim's browser
to perform some task directly.  (For example:
http://www.whitehatsec.com/presentations/phishing_superbait.pdf)

Am I leaving off any important limitations to the technique?  Are the
limitations I've listed significant problems?

If you're going to deal with the changing IP address problem, that
implies some management overhead to identify and eliminate false
positives where users are prematurely logged out because they happened
to switch IP addresses.  How much of a problem does this management
overhead cause?

It seems like the HttpOnly Microsoft set-cookie extension provides
most (though not all) of the same benefits as tying sessions to IP
addresses, while being signficantly easier to implement and manage.
Any thoughts on that?

Regards.
Brian

----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list