lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20031117204704.GA16231@0dayspray.com>
From: dave at 0dayspray.com (David Maynor)
Subject: defense against session hijacking

On Mon, Nov 17, 2003 at 03:16:55PM -0600, Thomas M. Duffey wrote:
> Sorry if this is common knowledge or regularly discussed; I'm fairly
> new to the list.  I see quite a few messages on this and other
> security lists about session hijacking in Web applications.  Isn't it
> good defense for a programmer to store the IP address of the client
> when the session is initiated, and then compare that address against
> the client for each subsequent request, destroying the session if the
> address changes?  Do many programmers really overlook this simple
> method to protect against such an attack?  It's not perfect but should
> significantly increase the difficulty of such an attack with little or
> no annoying side effects for the legitimate user.  Would it be useful
> to extend the session modules of the common Web scripting languages
> (e.g. PHP) to enable an IP address check by default?
> 

This would break things like NATed machines and such.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ