Several years ago I was asked to implement a scheme like this for a
client's site. As it turned out, this rendered the site completely
unusable for AOL customers. AOL's web traffic is (or was) routed
through
a proxy farm in such a way that every pageload in a session can
potentially come from a different IP.
Maybe they've changed this behavior, or maybe keeping AOL users out of
your site is actually a benefit, but it's something to consider.
-s
On Wed, 21 May 2008 13:08:27 -0700
"Stephan Wehner" <stephanwehner@xxxxxxxxx> wrote:
Let's say one records, when a user logs in to a web-app, the user's
present IP address.
On a later request, if the user's IP address has changed, the web-app
could ask for a re-login.
I'm thinking about stolen session id's through javascript-attacks.
Are
there arguments against such a scheme?
For example, would some people run into this frequently, because of
the way their ISP's DHCP is setup?
On the other hand sometimes IP addresses are shared. But I guess
cross-site scripting attacks "in the office" are pretty unlikely.
Thanks,
Stephan
--
Stephan Wehner
-> http://stephan.sugarmotor.org
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA