Authentication with IP address, USER_AGENT...

nobru

Hi there,

I read a few times that one could use an IP address to prevent session hijacking fe.
In which circumstances can this be bad/ not working?
For example, what if several PCs share an IP address, etc...?

I thought of using the HTTP_USER_AGENT variable.
Can there be any drawbacks for this method?
And what about REMOTE_HOST?

Thanks for your help! 🙂

Traduim

When a group of PCs belong to a LAN and share an IP, it's really probable that they return the same HTTP_USER_AGENT and REMOTE_HOST.

Usually, LANs are administered by someone who likes to have all the PCs configured in the same way, and usually, the LAN admin don't really like it's LAN users to be distinguished out of the LAN.

pharcyde0

Might I ask why you fear the session hijacking? What element of your application is vulernable to session hijacking?

~pharcyde

PyroX

Session cookies are stored in browser, first check the browser agent, and then check ip, at least it adds another check.

nobru

I do not especially fear session hijacking, I just read a few times that sessions are not really secure, so I try to make mine as secure as possible 🙂

Thx for your answers!

pharcyde0

Well there are only three ways that I know that one can hijack a session. One steal the session id if it's contained in the url by looking at that person's screen (preventable by using frames or making sure user enables cookies), running a packet sniffer on the network (in which case you have bigger problems) or having some sort of trojan installed on the client or server (again you have bigger problems if this is the case). Either way anyone that can run a sniffer undetected will also most likely have the ability to spoof their ip as well.....so checking IP really won't add much, if any, securiity.

~pharcyde

nobru

Parcydeo, agree with you that if some experienced hackers wanna screw up my site or hijack sessions, there is little chance that I can prevent them from doing it. I am not a security expert...

But then, do you have any suggestions to make the sessions "relatively" secure?
I am really interested in this subject (even if my site is certainly not worth it! 😉