1

Right now I have this implemented in my Dev environment:

  • I store the $SERVER['REMOTE_ADDR'] as a session variable upon login, then recheck the page every page load for the same IP address.

The more I read, I see that many people don't like this idea because of proxy's etc... So, what are some other options that can still be good practce? I was thinking about USER AGENT - but any joe-blow can fake that with a simple firefox plugin. That said, at least it would take a good guess from an attacker to successfully pick the right one on the first try...

What do people think? I'd love to simply just change out the text: 'SERVER_ADDR' with something else - all the other code can remain as is.

Thanks.

EDIT: I guess my main goal here is to prevent hijacking/fixation. An IP check would in theory ensure that the user remains the user at all times (well, unless somebody's spoofing the IP also...) - but the session is basically saved to an IP address in this manor...

Shackrock
  • 4,601
  • 10
  • 48
  • 74

2 Answers2

2

Well, from someone who has spent half my time trying to prevent session hijacks, I can tell you that is a wrong way to go about it. Yes, in theory you will have guaranteed the user is the same, but then in practice you will get expected 'unexpected' results. Certain ISP change the IP with every page load. Proxies like tor do that as well. Your best bet is simply to use the user agent. Though that has drawbacks, you can't have a fully secure system. Just ensure that you prevent xss on your site and most likely, the user can't be faked too easily. I had other implementations. The first involved taking the first part of the IP and hashing it with the ua to ensure that the IP is always in the same range, but then I found out that the country ranges vary. Another involved a country lookup to ensure that the IP is from the same country, but then again that involved an extra database lookup. The best you can do is make it harder, but it will never be secure.

Almost forgot. Remember to regenerate the session I'd whenever you increase a user's priveleges such as in a login. This will help prevent session fixation attacks where the session id is passed via url. Remember your xss.

frostymarvelous
  • 2,786
  • 32
  • 43
  • Understandable, I'll switch to UA for now... and will employ some other tacticts as Pekka listed in his comment too. I do regenerate the ID on login. Thanks. – Shackrock Mar 13 '11 at 15:08
1

You can always do a mask on IP: 134.23.%.%.

ЯegDwight
  • 24,821
  • 10
  • 45
  • 52
severfire
  • 11
  • 1