[WEB SECURITY] IP address change: relogin

Stephan Wehner stephanwehner at gmail.com
Wed May 21 16:08:27 EDT 2008


Let's say one records, when a user logs in to a web-app, the user's
present IP address.
On a later request, if the user's IP address has changed, the web-app
could ask for a re-login.

I'm thinking about stolen session id's through javascript-attacks. Are
there arguments against such a scheme?
For example, would some people run into this frequently, because of
the way their ISP's DHCP is setup?
On the other hand sometimes IP addresses are shared. But I guess
cross-site scripting attacks "in the office" are pretty unlikely.

Thanks,

Stephan

-- 
Stephan Wehner

-> http://stephan.sugarmotor.org
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list