What does everyone think of the idea of noting the IP address in the session so that session hijackers identified if they try to steal a session that has a different IP address from their own?
Are there any drawbacks to this method? Nobody can spoof an IP address and still get back the response, can they?
I know of at least one group that will get screwed: AOL users. (spare the jokes :)
No, really. I'm not sure if this is still the case, but I was working for a client that had a separate box running their application without a BigIP in front of it, simply because of their AOL users.
It seems that AOL playss games with their gateways and NAT configuration so that the same user can click around the web and appear to have a different source IP for every request. It's total madness and apparently BigIP couldn't make any sense of it, at least with the version they were using.
This could be a major drawback.
What you might want to do is create a security log and simply log when the IP address changes for a session. You might find that either AOL no longer does this, or you have no AOL customers using your site. On the other hand, you can always do retrospective security audits.
-chris
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
