Checking IP throughout the course of the session

[hngrfghtr]

Hi guys,

In our code base we have quite a few security issues (eg XSS, session id being broadcasted). Attackers could get our users' session cookies. While we are actively trying to close the holes we can find, we are wondering whether it is a good idea that we check the IP throughout the session, maybe every 5 requests or so. If the IP has changed, we require the user to re-login before continuing on what s/he is doing. The idea is that if the attacker gets a user session cookie, s/he will be using that coming from a different IP from the victim user. There are also usability concerns. We need to support users behind DHCP, as well as AOL users (many users coming from the same IP), maybe users behind Tor too.

Any comments about the general approach that we check IP throughout the session?


Thanks.

[sanddbox]

Sounds fine to me.

Just don't check too often or users using a TOR network will get screwed over.

[myhexhax]

May I ask what platform you are using? PHP/etc

There are lots of ways to mitigate session hijacking. You can try making a fingerprint for the browser that is maintained in the session, and if it changes, deauthenticate them. An ideal string would be the User Agent. Hash it and store it in the session. You'll be able to tell if it changes or not (of course). For forms you can use temporary tokens to ensure the posted request originated from a page that the form existed on.. IP is feasible, but it *can* change, especially if someone is on a onion routing network or the like.

[hngrfghtr]

Thanks for the reply. The user-agent idea is great. We will consider it.