[WEB SECURITY] Session attacks, What are the new breeds of attacks ?

mhellman at taxandfinance.com mhellman at taxandfinance.com
Thu Jun 10 13:04:03 EDT 2010

> Well, I don't know if it is presumptuous or not. Some people will say it
> is
> presumptuous to require javascript on your website. Others will say it is
> presumptuous for your website to not support accessibility, other
> browsers,
> etc.
> Bottom line, it is your website and you get to decide what is acceptable
> and
> what is not. If you don't tie sessions to ip addresses, then you are open
> to
> some types of attacks that you wouldn't be opened to otherwise. If you do
> tie session to ip addresses then you have issues with reverse proxies.
> Which
> is the lesser evil is up to you to decide.

I wasn't accusing you personally of being presumptuous:)  I was merely
pointing out that if we think about it conceptually in the context of the
protocol and layers involved, assuming that the IP won't change is a bit
silly. There is no technical reason it can't or won't, and in fact I would
argue that it should be expected to happen sometimes...even if it is
relatively rare. I'm at the coffee shop with my iPad and log in.  I go
home (a 10 minutes drive) and connect to my home wireless.  Guess what, my
IP address changed but I'm still using the same session ID.  The developer
can choose to invalidate the session and make me log in again, that's of
course up to them...but a developer making that decision because they
expect that the ip address should never change for a given session is
presumptuous. It can and will quite normally.

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn

More information about the websecurity mailing list