[WEB SECURITY] IP address change: relogin

Shaun shaun at shaunc.com
Wed May 21 16:42:30 EDT 2008


Several years ago I was asked to implement a scheme like this for a
client's site. As it turned out, this rendered the site completely
unusable for AOL customers. AOL's web traffic is (or was) routed through
a proxy farm in such a way that every pageload in a session can
potentially come from a different IP.

Maybe they've changed this behavior, or maybe keeping AOL users out of
your site is actually a benefit, but it's something to consider.

-s

On Wed, 21 May 2008 13:08:27 -0700
"Stephan Wehner" <stephanwehner at gmail.com> wrote:

> Let's say one records, when a user logs in to a web-app, the user's
> present IP address.
> On a later request, if the user's IP address has changed, the web-app
> could ask for a re-login.
> 
> I'm thinking about stolen session id's through javascript-attacks. Are
> there arguments against such a scheme?
> For example, would some people run into this frequently, because of
> the way their ISP's DHCP is setup?
> On the other hand sometimes IP addresses are shared. But I guess
> cross-site scripting attacks "in the office" are pretty unlikely.
> 
> Thanks,
> 
> Stephan
> 
> -- 
> Stephan Wehner
> 
> -> http://stephan.sugarmotor.org
> -> http://www.thrackle.org
> -> http://www.buckmaster.ca
> -> http://www.trafficlife.com
> -> http://stephansmap.org
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list