On Mon, Sep 23, 2013 at 7:29 PM, Yasuo Ohgaki wrote: > Hi all, > > There isn't any good counter measure session hijack. > However, we can regenerate session ID if IP address has changed. > Hijacked users might notice that they have been logged out if session > ID is regenerated by attackers. Therefore, users have slight chance > to notice that they were under attack. It's not greatly effective, but > better than nothing. > > Although this can be implemented in user script, it would be better if > session module supports this behavior. Better security by default > is good thing. It requires INI, since some apps may assume session > ID would not change. > (I do not encourage to use session ID for CSRF protection, but > there are such implementations, for example.) > > A concern is that there are growing number of browsers share > state. I do not research these browsers behavior yet. I suppose > session cookie (expire=0) would not be shared. > > Anyone has any comments on this? >
Each and every type of prevention measure has consequences and not only that but MAJOR consequences. If you are detecting IP changes you rule out most if not all major proxy networks that exist. While not first of mind; when handling this you can easily remove the old session without properly transitioning to the new. This is an option based off of individual application vs. a language option or construct. There are a ton of different measures that you might take based off of changes to the end user data. I think this would be a poor idea in the long run due to the consequences that you may incur.
