Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Tying a session to an IP address
From: exon <exon () home se>
Date: Mon, 10 May 2004 16:00:47 +0200

Paul Johnston wrote:

I'm interested in the merits of restricting a session to an IP address. I realise this isn't great security as often many users will appear to come from the same IP address (NAT, proxies, etc.) However, if you consider the case where an attacker uses an XSS vulnerability to steal the session ID, then the IP address restriction raises the bar considerably for an arbitrary remote attacker to exploit this. I'm worried that the IP address restriction wouldn't work for all users - e.g. if their ISP uses load-balanced web caches. Does anyone know how common such arrangements are in practice? Perhaps something to be done then is just check the top 16 bits of the IP address. This is likely to work for all such network arrangements and still raises the bar a lot for remote attacks.

I'd say it doesn't do diddly squat to add to security, since it's trivial to spoof ones address.

Does anyone here already restrict sessions by IP address?



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]