To prevent the session fixation problem, who can we bind the IP address with session id? Is it possible to bind th session id with that of Ip address??
-
You can, but its not such a good idea. If your client is behind a farm of proxies their external IP address may change on every request. AOL do this, for example.
innaM : This is not yet an issue, but as soon as IPv6 gets used, clients will change their IP address quite often, whether they come from AOL or not.vartec : @Manni Care to elaborate on that?innaM : I was referring to the "IPv6 Privacy Extensions". : http://tools.ietf.org/html/rfc3041 -
I don't think that this is a good idea. Subsequent request from the same users might not necessarily come from the same IP address because the request might come from a different proxy. IIRC this used to be the case for all AOL users and might be the case for other providers or some corporate networks, too.
It is better to secure your session with page tokens to prevent highjacking a session.
-
http://en.wikipedia.org/wiki/Session_fixation
if($_SERVER['REMOTE_ADDR'] != $_SESSION['PREV_REMOTEADDR']) { session_destroy(); // destroy all data in session } session_regenerate_id(); // generate a new session identifier $_SESSION['PREV_REMOTEADDR'] = $_SERVER['REMOTE_ADDR'];
-
I've read some article about it before. it is possible that you check the user IP address as an extra session meta data. but if you want to use it as a general session ID, you might have problem to deal with users behind a certain proxy gateway, where all users will have the same IP address. although it could be used to prevent session theft (using techniques like cookie highjacking) for some level. but it should be considered that the cookie hijacker can also mimic the IP address of the victim. so checking the user session and also the IP address can be a good practice to have a higher security, but is not a bullet proof solution.
0 comments:
Post a Comment