Am 27.09.13 12:12, schrieb Leigh: > On 26 September 2013 11:32, Tjerk Meesters <tjerk.meest...@gmail.com> wrote: >> >> On Thu, Sep 26, 2013 at 6:19 PM, Leigh <lei...@gmail.com> wrote: >>> >>> There's several scenarios where a users IP changes and you don't want to >>> drop their session. (That doesn't mean it should simply have an option to >>> disable it either) >> >> >> Let's be clear here: this won't happen (in most cases), because the client >> will simply get a new cookie and the session will keep working; it's like >> what you would implement if your user level goes from anonymous to logged in >> and vice versa. > > Right, so maybe I misunderstood the intent of this. > > I was reading it as: valid SID on new IP = drop session, which to me > seems like the more "secure" approach. > > What you're saying is is when a valid SID is supplied on a new IP, you > regenerate the SID and the session continues to be valid on the new > IP? > > So on a successful session hijack (correct SID, new IP) the attacker > gets a new SID and keeps the valid session while the legitimate user > gets kicked out. > > Not seeing how that improves things at all.
So what about an ISP that changes the IP-Adress of it's clients every half hour? Suddenly the IP for a valid SID has changed and the legitimate user gets kicked out. Every half hour. No Attacker needed. Does that improve things? Regards Andreas -- ,,, (o o) +---------------------------------------------------------ooO-(_)-Ooo-+ | Andreas Heigl | | mailto:andr...@heigl.org N 50°22'59.5" E 08°23'58" | | http://andreas.heigl.org http://hei.gl/wiFKy7 | +---------------------------------------------------------------------+ | http://hei.gl/root-ca | +---------------------------------------------------------------------+
smime.p7s
Description: S/MIME Kryptografische Unterschrift