lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1069428400.7228.10.camel@wynken>
From: sam at reefedge.com (Sam Baskinger)
Subject: defense against session hijacking

Somewhat related, SCTP is a multi homed transport protocol.  If it find
a home in webapps, using IPs as IDs becomes harder. :-)

Sam

On Mon, 2003-11-17 at 16:16, Thomas M. Duffey wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi All,
> 
> Sorry if this is common knowledge or regularly discussed; I'm fairly
> new to the list.  I see quite a few messages on this and other
> security lists about session hijacking in Web applications.  Isn't it
> good defense for a programmer to store the IP address of the client
> when the session is initiated, and then compare that address against
> the client for each subsequent request, destroying the session if the
> address changes?  Do many programmers really overlook this simple
> method to protect against such an attack?  It's not perfect but should
> significantly increase the difficulty of such an attack with little or
> no annoying side effects for the legitimate user.  Would it be useful
> to extend the session modules of the common Web scripting languages
> (e.g. PHP) to enable an IP address check by default?
> 
> Best Regards,
> 
> - --
> :: t  h  o  m  a  s       d  u  f  f  e  y
> :: h o m e b o y z   i n t e r a c t i v e
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQE/uTrH8fKWAp8CzDARAhyOAJ9kXkkiUERgEVRWhH5GtGACTKA1hwCfak+7
> KsyUSQG+iAcPVxX3BIdTTRc=
> =9f2R
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ