Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Tying a session to an IP address
From: Chris Burton <cyberhiker99 () yahoo com>
Date: Mon, 10 May 2004 06:48:01 -0700 (PDT)

I would first ask if you are running IIS as your web
server.  That is easy, and it does what you want
restricting it to a single IP, subnet, or via reverse

If not IIS then perhaps with a firewall rule.

I have seen this done as a poorman's


--- Paul Johnston <paul () westpoint ltd uk> wrote:

I'm interested in the merits of restricting a
session to an IP address. 
I realise this isn't great security as often many
users will appear to 
come from the same IP address (NAT, proxies, etc.)
However, if you 
consider the case where an attacker uses an XSS
vulnerability to steal 
the session ID, then the IP address restriction
raises the bar 
considerably for an arbitrary remote attacker to
exploit this. I'm 
worried that the IP address restriction wouldn't
work for all users - 
e.g. if their ISP uses load-balanced web caches.
Does anyone know how 
common such arrangements are in practice? Perhaps
something to be done 
then is just check the top 16 bits of the IP
address. This is likely to 
work for all such network arrangements and still
raises the bar a lot 
for remote attacks.

Does anyone here already restrict sessions by IP



Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul () westpoint ltd uk
web: www.westpoint.ltd.uk

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]