Hosting Provided By

Re: Session Fixation

From: HarryM <harrym(at)the-group.org>
Date: Mon Mar 31 2003 - 13:17:12 EST

> This topic has been discussed at length on this list, and every time it
is,
> the consensus is reached that "binding" some session identifier to an IP

I'm not sure that's entirely accurate. Checking the IP of the client against the IP the session was started with on each page request does provide some measure of protection against a malicious user hijacking an active session - I've implemented just that on my last project - that said, the project in question was not intended to work through proxies (Access over a proxy was disallowed in the AUP) and we didn't really care about AOL users.

I agree that for a public system intended to work with as many ISPs and system configurations as possible, binding an IP to a session is probably futile, and to name it as an additional security feature is certainly misleading, but to discount it entirely as a useful precaution is unwise.

The implementation of the system this way does confirm what Gary posted earlier in the thread, though - Oftentimes the sessions of legitimate users are invalidated because of this, but again, this is something we're willing to live with.

HarryM Received on Mon Mar 31 13:28:08 2003

This message: [ Message body ]
Next message: Information Security: "RE: Session Fixation"
In reply to Alex Russell: "Re: Session Fixation"
Next in thread: Alex Russell: "Re: Session Fixation"
Reply: Alex Russell: "Re: Session Fixation"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:49 EDT