Re: [WEB SECURITY] IP address change: relogin

["Stephan Wehner" <stephanwehner@xxxxxxxxx>]

On Thu, May 22, 2008 at 7:43 AM, Martin O'Neal
<martin.oneal@xxxxxxxxxxxx> wrote:
>
>> If there are other methods, I'd be interested in hearing about them
> too.
>
> I think what people are looking for here is a technical solution to a
> logical problem.  Logically, an attacker that already has access to the
> data in transit (or on the client), has access to all the components
> needed to subvert any controls you can implement at the client.  All
> they need is the time and desire to subvert them.

Well, looking at a simple XSS case, where the "attacker gets the
cookies", but not much more: they wouldn't find it easy to spoof the
IP address.



Thanks everyone, for all the replies!

Sounds like using the IP address is not as useful as I hoped. I like
the idea of XHR - 'passive authentication'.

Stephan


> Martin...
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>



-- 
Stephan Wehner

-> http://stephan.sugarmotor.org
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA