For any commercial site it is almost impossible to use any portion of the address for "authentication" or non-repudiation. The main reason is AOL. The last e-com site I managed 70% or our traffic came from AOL. IIRC AOL used proxy "pods" for their netblocks. I would watch users hop from IP to IP and sometime across entire subnets during a session. Now you could code your app to break for AOL users but if you are a commercial entity that could present a few problems. The best use to IP address authentication is in a LAN environment where users are far less likely to go address hoping. ----- Original Message ----- From: <infoat_private> To: "Obscure" <obscureat_private> Cc: "Joe Harrison" <list-generalat_private>; "Securityfocus-Vulndev" <vuln-devat_private> Sent: Friday, February 01, 2002 8:08 AM Subject: RE: CSS, CSS & let me give you some more CSS > If you use IP address for session cookie attacker can't use > stolen cookie. > However, you can't use IP address when BGP or Proxy are used. > In this case the best protection is to change session cookie > for each transaction using transaction counter. > This will provide a transaction non-repudiation. > If such session cookie is stolen and used by a hacker prior > to a user, then user session will be blown away. > > Mike >
This archive was generated by hypermail 2b30 : Fri Feb 01 2002 - 09:14:08 PST