Re: [vox-tech] Security & IP
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox-tech] Security & IP
What's $.02 to you is worth $2M to me. Thanks.
I hear you say the https will probably give me the protection I need.
I'm planning to use that in production. I'll also use $REMOTE_ADDR with
On Wed, 2003-02-19 at 13:13, Micah J. Cowan wrote:
> On Wed, Feb 19, 2003 at 12:12:27PM -0500, Alan H. Lake wrote:
> > I'm creating a PHP program that I'd like to protect against an attempt
> > to "hijack" a session. I want to insure that the IP address of the
> > machine using the session is the same as that which started the
> > session. The approach that I'm using is that, if the session's IP is
> > not stored in the session file, I'll store it. If it is, I check to see
> > whether it matches the current IP. If the two don't match, I think I've
> > been hijacked.
> Well, since this method only protects someone from attackers with other
> world-visible IP addresses, leaving no protection from attackers who
> might be behind the same proxy, or attackers who have access to a
> router between your server and the user--and since there are easier
> methods--I wouldn't really have bothered with this, but...
> > The problem is that I'm getting a false alarm because the 4th node of
> > the current IP doesn't always match that of the IP that started the
> > session. The other three nodes do match.
> > Here are my questions. Do I have adequate protection if I check just
> > the first three nodes? Is there a better way to detect such an attempt?
> I can't figure out how this could be: is a proxy choosing between a
> group of IPs at whim for masquerades? I can't think of why this would be...
> But to answer your question: no. It leaves the victim susceptible to
> attack by up to 254 other users. Still better than *everybody*, but
> it's still just limited protection.
> > The PHP code that I am using to get the IP addresses is this:
> > if (getenv(HTTP_X_FORWARDED_FOR))
> > $ipaddr = getenv(HTTP_X_FORWARDED_FOR);
> > else
> > $ipaddr = $REMOTE_ADDR;
> You should just use $REMOTE_ADDR. In this case, you *do* want the IP
> of the ISP's proxy server, since that's the only IP address that you are
> actually in contact with. This still leaves the user open to attack
> from others on the same ISP.... But I'll bet that's why you're getting
> different IPs for the same session: Maybe the ISP is setting
> X-Forwarded-For: for some requests and not others; or maybe it is
> setting them erroneously. Either way, you will get different results
> each time. But (I'm pretty sure) you can't get different IPs for
> $REMOTE_ADDR if you're being accessed by the same machine for a
> As I've pointed out a couple times, there are still, in pretty much
> all cases, groups of users who can "hijack" the session, if you are
> vulnerable to such attacks. A better idea is just to use a fairly
> random selection process for the session id, with enough bits that one
> couldn't hijack the session without knowing the id. As to those who
> are along the route such that they *can* see the id, blocking by IP
> only affords limited protection, since IP-spoofing is a possibility in
> that case.
> In most cases, it's simply not worth worrying about people who can spy
> "on-route", since that is usually only a theoretical vulnerability
> (i.e., few crackers actually practice this, or are in a position
> to). In those cases where extreme security must be exercised, you can
> use HTTPS, or a challenge-response-style authentication for every HTTP
> HTH; just my $0.02,
> vox-tech mailing list
Alan H. Lake
Lake Information Works
6999 Dolan Road
Glouster, OH 45732-9003
vox-tech mailing list