On Feb 4, 2006, at 12:05 PM, Jeff Watkins wrote:
As Patrick pointed out, the IP address is too prone to spoofing to add any extra security. Were Identity to rely on IP address in any way, everyone from AOL or Earthlink would stand a good chance of *appearing* to have the same IP address (thanks to NAT).
I agree tha solely relying on the remote host address is not secure at all (I wonder then why the from_host predicate is there, anyway...). My idea was to add *another* (rather thin) layer of security *besides* the auth cookie. I mean, if you want to hijack my session, you must hijack my cookie, via XSS or sniffing (in this case I'm absolutely lost), AND spoof my IP address.
No. A unique cookie handed out at the beginning of the visit should be sufficient. If you can hijack that, you can also hijack my IP address.
Well, no exactly... the cookie can be hijacked by other means (XSS) which doesn't neccesarily mean you can spoof my address (unless it's a man-in-the-middle attack, of course, http://www.iss.net/ security_center/advice/Exploits/TCP/session_hijacking/default.htm).
As the thread from WebApp Sec that Patrick pointed out suggests, source IP checking fo sessions is kind of hard to implement correctly (need to take into acccount the case of load balancing routers, NAT makes your efforts worthless, etc...) to even bother for the little extra security it gives.
Therefore, I must retract from what I've said. Please make me a +0 on the IP checking for identity , but keep by +1 for visit tracking :)
Regards, Alberto
