For any commercial site it is almost impossible to use any portion of the
address for "authentication" or non-repudiation. The main reason is AOL. The
last e-com site I managed 70% or our traffic came from AOL. IIRC AOL used
proxy "pods" for their netblocks. I would watch users hop from IP to IP and
sometime across entire subnets during a session. Now you could code your app
to break for AOL users but if you are a commercial entity that could present
a few problems.
The best use to IP address authentication is in a LAN environment where
users are far less likely to go address hoping.
----- Original Message -----
From: <info_at_elitesoft.org>
To: "Obscure" <obscure_at_eyeonsecurity.net>
Cc: "Joe Harrison" <list-general_at_ntlworld.com>; "Securityfocus-Vulndev"
<vuln-dev_at_securityfocus.com>
Sent: Friday, February 01, 2002 8:08 AM
Subject: RE: CSS, CSS & let me give you some more CSS
> If you use IP address for session cookie attacker can't use
> stolen cookie.
> However, you can't use IP address when BGP or Proxy are used.
> In this case the best protection is to change session cookie
> for each transaction using transaction counter.
> This will provide a transaction non-repudiation.
> If such session cookie is stolen and used by a hacker prior
> to a user, then user session will be blown away.
>
> Mike
>
Received on Feb 01 2002
Intro
