Checking IP throughout the course of the session

Discuss the many weaknesses of browser security and ways to mitigate the threat

Checking IP throughout the course of the session

Post by hngrfghtr on Wed Aug 05, 2009 3:34 pm
([msg=27925]see Checking IP throughout the course of the session[/msg])

Hi guys,

In our code base we have quite a few security issues (eg XSS, session id being broadcasted). Attackers could get our users' session cookies. While we are actively trying to close the holes we can find, we are wondering whether it is a good idea that we check the IP throughout the session, maybe every 5 requests or so. If the IP has changed, we require the user to re-login before continuing on what s/he is doing. The idea is that if the attacker gets a user session cookie, s/he will be using that coming from a different IP from the victim user. There are also usability concerns. We need to support users behind DHCP, as well as AOL users (many users coming from the same IP), maybe users behind Tor too.

Any comments about the general approach that we check IP throughout the session?


Thanks.
hngrfghtr
New User
New User
 
Posts: 4
Joined: Wed Aug 05, 2009 3:23 pm
Blog: View Blog (0)


Re: Checking IP throughout the course of the session

Post by sanddbox on Wed Aug 05, 2009 4:13 pm
([msg=27927]see Re: Checking IP throughout the course of the session[/msg])

Sounds fine to me.

Just don't check too often or users using a TOR network will get screwed over.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2337
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Checking IP throughout the course of the session

Post by myhexhax on Wed Aug 05, 2009 4:45 pm
([msg=27928]see Re: Checking IP throughout the course of the session[/msg])

May I ask what platform you are using? PHP/etc

There are lots of ways to mitigate session hijacking. You can try making a fingerprint for the browser that is maintained in the session, and if it changes, deauthenticate them. An ideal string would be the User Agent. Hash it and store it in the session. You'll be able to tell if it changes or not (of course). For forms you can use temporary tokens to ensure the posted request originated from a page that the form existed on.. IP is feasible, but it *can* change, especially if someone is on a onion routing network or the like.
gniripsni ewa si rehte eht morf cisum siht
myhexhax
Poster
Poster
 
Posts: 217
Joined: Tue Sep 16, 2008 2:19 pm
Location: Between the ether and the information superhighway
Blog: View Blog (0)


Re: Checking IP throughout the course of the session

Post by hngrfghtr on Fri Aug 07, 2009 2:43 pm
([msg=27976]see Re: Checking IP throughout the course of the session[/msg])

Thanks for the reply. The user-agent idea is great. We will consider it.
hngrfghtr
New User
New User
 
Posts: 4
Joined: Wed Aug 05, 2009 3:23 pm
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests