l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
January 6: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2003 Feb 19 10:14

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Security & IP
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Security & IP



I think you may have problems with this if my memory is correct on an issue.

Some ISP (like AOL) use distributed application layer proxy servers.
Within an "application layer session" a single user from one computer may
appear to come from multiple IP addresses. (Not talking a TCP session, but
a session where a person sits at a computer, and navigates around your web
site clicking on one link then another.) This may lead to problems with
implementing your code.

Have you considered using SSL to help protect your program from highjacking?

(More comments below)

Alan H. Lake said:
> I'm creating a PHP program that I'd like to protect against an attempt
> to "hijack" a session.  I want to insure that the IP address of the
> machine using the session is the same as that which started the
> session.  The approach that I'm using is that, if the session's IP is
> not stored in the session file, I'll store it.  If it is, I check to see
> whether it matches the current IP.  If the two don't match, I think I've
> been hijacked.

(Im not so sure this will work universally. See above.)

> The problem is that I'm getting a false alarm because the 4th node of
> the current IP doesn't always match that of the IP that started the
> session.  The other three nodes do match.

The 4th octet of an IP address cannot be relied upon for proof of lack of
highjacking. When the Internet was built using classed networks, you could
determine the site/owner of a netblock based on the first octet's value.
This is not the case anymore. Even if you could assume two IP addresses
are from the same netblock, you can't be certain that the second IP is not
really an attempt at highjacking. Actually, this can be the reverse, as a
person sharing the first person's subnet may be able to sniff session
information from that target and then highjack the session. (Still talking
application layer "session" without SSL NOT a TCP one.)

> Here are my questions.  Do I have adequate protection if I check just
> the first three nodes?

In my opinion, using only the first 3 octets of an IP address is not
sufficient.

> Is there a better way to detect such an attempt?

Use of SSL to help protect the session.

You might look into cookies, but they have other issues in cases like
shared workstations a the public area.

> The PHP code that I am using to get the IP addresses is this:
>   if (getenv(HTTP_X_FORWARDED_FOR))
>     $ipaddr = getenv(HTTP_X_FORWARDED_FOR);
>   else
>     $ipaddr = $REMOTE_ADDR;

Of course, my recollection of the way that AOL does things could be wrong,
or incorrect, but I *think* it is correct. I dont use AOL and have no
first-hand knowledge of this (with a sniffer or whatever) but when this
has come up before in meetings, nobody has stated it was not the case when
it was mentioned.

Your idea is quite creative and inventive. :-)

(Nothing comes from not trying, perhaps you will find a way yet.)

-ME


-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
  Campus IT(/OS Security): Operating Systems Support Specialist Assistant

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.