> From: Matthew Byng-Maddick [mailto:[EMAIL PROTECTED] > Sent: Monday, June 16, 2003 2:28 PM > To: [EMAIL PROTECTED] > Subject: Re: Session Fixation Vulnerability in Web Based Apps > > > On Mon, Jun 16, 2003 at 10:47:04AM +0100, [EMAIL PROTECTED] wrote: > > session id). Authentication of subesequent pages is assumed only if the > > client's IP address matches the IP address stored in the session variable > > corresponding to the client's session. > > Is this secure? If not, why not? > > It's not a question of whether it's secure or not, in any kind of environment > with distributed proxies, it just plain won't work.
I think I understand this, but I'm not sure if it matters. It seems to me that a false negative (failed login) is not particularly serious, and that the emphasis should be on preventing false positives (hackers). So ... if you find that you can't log in from work (or anywhere you may have distributed proxies), tough. Just try again when you get home, where there are no distributed proxies in the way. If you believe that security is more important than convenience, is this not reasonable? The point is that, since IP spoofing is difficult (at least, considerably MORE difficult than stealing a session key), you could be fairly sure you were cutting out an awful lot of hacker attacks. I freely admit that I don't understand all the issues here, but this does seem pretty straightforward. What am I missing? Jill --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
