[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] defense against session hijacking
- To: "Thomas M. Duffey" <tduffey@homeboyz.com>
- Subject: Re: [Full-Disclosure] defense against session hijacking
- From: David Maynor <dave@0dayspray.com>
- Date: Mon, 17 Nov 2003 15:47:04 -0500
On Mon, Nov 17, 2003 at 03:16:55PM -0600, Thomas M. Duffey wrote:
> Sorry if this is common knowledge or regularly discussed; I'm fairly
> new to the list. I see quite a few messages on this and other
> security lists about session hijacking in Web applications. Isn't it
> good defense for a programmer to store the IP address of the client
> when the session is initiated, and then compare that address against
> the client for each subsequent request, destroying the session if the
> address changes? Do many programmers really overlook this simple
> method to protect against such an attack? It's not perfect but should
> significantly increase the difficulty of such an attack with little or
> no annoying side effects for the legitimate user. Would it be useful
> to extend the session modules of the common Web scripting languages
> (e.g. PHP) to enable an IP address check by default?
>
This would break things like NATed machines and such.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html