[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] IP address change: relogin

From: Shaun <shaun@xxxxxxxxxx>
Subject: Re: [WEB SECURITY] IP address change: relogin
Date: Wed, 21 May 2008 15:42:30 -0500

Several years ago I was asked to implement a scheme like this for a
client's site. As it turned out, this rendered the site completely
unusable for AOL customers. AOL's web traffic is (or was) routed through
a proxy farm in such a way that every pageload in a session can
potentially come from a different IP.

Maybe they've changed this behavior, or maybe keeping AOL users out of
your site is actually a benefit, but it's something to consider.

-s

On Wed, 21 May 2008 13:08:27 -0700
"Stephan Wehner" <stephanwehner@xxxxxxxxx> wrote:

> Let's say one records, when a user logs in to a web-app, the user's
> present IP address.
> On a later request, if the user's IP address has changed, the web-app
> could ask for a re-login.
> 
> I'm thinking about stolen session id's through javascript-attacks. Are
> there arguments against such a scheme?
> For example, would some people run into this frequently, because of
> the way their ISP's DHCP is setup?
> On the other hand sometimes IP addresses are shared. But I guess
> cross-site scripting attacks "in the office" are pretty unlikely.
> 
> Thanks,
> 
> Stephan
> 
> -- 
> Stephan Wehner
> 
> -> http://stephan.sugarmotor.org
> -> http://www.thrackle.org
> -> http://www.buckmaster.ca
> -> http://www.trafficlife.com
> -> http://stephansmap.org
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] IP address change: relogin
  - From: Stephan Wehner

Prev by Date: [WEB SECURITY] IP address change: relogin
Next by Date: Re: [WEB SECURITY] IP address change: relogin
Previous by thread: [WEB SECURITY] IP address change: relogin
Next by thread: Re: [WEB SECURITY] IP address change: relogin
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site