[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] IP address change: relogin

From: "Stephan Wehner" <stephanwehner@xxxxxxxxx>
Subject: [WEB SECURITY] IP address change: relogin
Date: Wed, 21 May 2008 13:08:27 -0700

Let's say one records, when a user logs in to a web-app, the user's
present IP address.
On a later request, if the user's IP address has changed, the web-app
could ask for a re-login.

I'm thinking about stolen session id's through javascript-attacks. Are
there arguments against such a scheme?
For example, would some people run into this frequently, because of
the way their ISP's DHCP is setup?
On the other hand sometimes IP addresses are shared. But I guess
cross-site scripting attacks "in the office" are pretty unlikely.

Thanks,

Stephan

-- 
Stephan Wehner

-> http://stephan.sugarmotor.org
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] IP address change: relogin
  - From: Shaun
- Re: [WEB SECURITY] IP address change: relogin
  - From: Ryan Barnett
- Re: [WEB SECURITY] IP address change: relogin
  - From: Bil Corry

Prev by Date: Re: [WEB SECURITY] Serverside Virus Scan
Next by Date: Re: [WEB SECURITY] IP address change: relogin
Previous by thread: [WEB SECURITY] MOSS security
Next by thread: Re: [WEB SECURITY] IP address change: relogin
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site