RE: Session Fixation

I recently visited a site (I think it might have been my bank) where they actually had an option for "additional security" where you could link the session to your IP address. I was impressed, and thought it was a great option, but I'm not sure how many non-security folks would. But the nice thing was that the communications--calling it an "additional security feature" rather than something very technical.

There are, IMHO, at least two other mitigation strategies, or points to consider:

First, make sure applications have a "logout" option, and train users to use it when they're done. It's a mitigation strategy for this and other session vulneraiblities (XSS, etc) to at least reduce the window of opportunity.

Second, make sure the account password change page (and hint pages, if applicable) require the user to supply the old password as well as the new. Prevents the hijacked session from changing the password and essentially creating the back door.

-----Original Message-----
From: Gary Gwin [mailto:websec@cafesoft.com] Sent: Thursday, March 27, 2003 3:25 PM
To: webappsec@securityfocus.com
Subject: Re: Session Fixation

Thanks for posting, this is an excellent article.

One cavaet is with respect to binding the session ID to the browser's network address. There are some proxy servers that swap IP addresses between HTTP requests. In this case, binding to the exact IP address can cause a valid session to be orphaned.

Gary

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

St. Clair, James wrote:
> FYI - for those who have not seen it..

-- 

Gary Gwin
http://www.cafesoft.com

*****************************************************************
*                                                               *
*   The Cafesoft Access Management System, Cams, is security    *
*   software that provides single sign-on authentication and    *
*   centralized access control for Apache, Tomcat, and custom   *
*   resources.                                                  *
*                                                               *
*****************************************************************