[WEB SECURITY] IP address change: relogin

Ryan Barnett rcbarnett at gmail.com
Wed May 21 17:39:37 EDT 2008

Using only the IP address to check for Session Hijacking is prone to false
positives as there are legitimate scenarios where different people may have
the same IP (corporate NAT or AOL, etc...).  If you want to do detection,
you should try and add in other components for correlation (such as
User-Agent) as this would help to more uniquely identify the user.  The key
is that you want to try and use a piece of data that would not change for
the duration of the session.  The UA is pretty good for this, however, some
technologies such as Java will alter it.

While not perfect, the best scenario is to correlate IP+UA and then
alert/log if either one changes and block (or force a re-login) if they both
change.  Increasing audit logging when Session Hijacking is suspected (where
as perhaps the default audit log config is to only audit log an attack) is
advantageous as you at least then have an audit trail of actions taken using
that ID.

Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
Author: Preventing Web Attacks with Apache

On Wed, May 21, 2008 at 4:08 PM, Stephan Wehner <stephanwehner at gmail.com>

> Let's say one records, when a user logs in to a web-app, the user's
> present IP address.
> On a later request, if the user's IP address has changed, the web-app
> could ask for a re-login.
> I'm thinking about stolen session id's through javascript-attacks. Are
> there arguments against such a scheme?
> For example, would some people run into this frequently, because of
> the way their ISP's DHCP is setup?
> On the other hand sometimes IP addresses are shared. But I guess
> cross-site scripting attacks "in the office" are pretty unlikely.
> Thanks,
> Stephan
> --
> Stephan Wehner
> -> http://stephan.sugarmotor.org
> -> http://www.thrackle.org
> -> http://www.buckmaster.ca
> -> http://www.trafficlife.com
> -> http://stephansmap.org
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080521/c5f90589/attachment.html>

More information about the websecurity mailing list