Is this a secure authentication system for an ajax-driven app?

Question

I apologize ahead of time, becuase I'm neither great at explaining things nor flow charts. This is not a specific code problem, but a general question on session security.

I'm trying to eliminate as many potential problems as possible at once. I think this takes care of:

• CSRF
• Session fixation
• Session prediction
• Cookie theft (through browser vulnerabilities)
• Session sidejacking

I realize the session can still be sidejacked if both the attacker's IP and user-agent header are the same as authenticated user's. I guess to make that bulletproof you would need SSL?

I would appreciate any critiques, if you can make out what I'm trying to say with the clusterfuck below. This is more or less what I'm doing:

EDIT - another question I had: Is it safe to assume that a user will not have an IP address that changes frequently enough for this to become a problem?

Answer 1

This looks fine, although you need to figure out what to do with AJAX requests that are supposed to return JSON or XML where the session has expired.

No, it is not safe to assume that the IP address will stay the same. Although almost dead, AOL was notorious for this, where they would use 20-30 proxy servers to query your HTTP servers for a single dial-up client.

SSL is a must, and the certificates are very cheap now - this should alleviate all concerns re. "man in the middle" attacks.