tags:

views:

472

answers:

4
+1  Q: 

Binding of IP address with Session id

To prevent the session fixation problem, who can we bind the IP address with session id? Is it possible to bind th session id with that of Ip address??

+1  A: 

You can, but its not such a good idea. If your client is behind a farm of proxies their external IP address may change on every request. AOL do this, for example.

Visage  2009-03-06 10:10:11
This is not yet an issue, but as soon as IPv6 gets used, clients will change their IP address quite often, whether they come from AOL or not.
innaM  2009-03-06 10:14:49
@Manni Care to elaborate on that?
vartec  2009-03-06 10:16:14
I was referring to the "IPv6 Privacy Extensions". : http://tools.ietf.org/html/rfc3041
innaM  2009-03-06 11:12:18
+1  A: 

I don't think that this is a good idea. Subsequent request from the same users might not necessarily come from the same IP address because the request might come from a different proxy. IIRC this used to be the case for all AOL users and might be the case for other providers or some corporate networks, too.

It is better to secure your session with page tokens to prevent highjacking a session.

0xA3  2009-03-06 10:10:39
A: 

http://en.wikipedia.org/wiki/Session_fixation

if($_SERVER['REMOTE_ADDR'] != $_SESSION['PREV_REMOTEADDR']) {
   session_destroy(); // destroy all data in session
}
session_regenerate_id(); // generate a new session identifier
$_SESSION['PREV_REMOTEADDR'] = $_SERVER['REMOTE_ADDR'];
vartec  2009-03-06 10:11:51
A: 

I've read some article about it before. it is possible that you check the user IP address as an extra session meta data. but if you want to use it as a general session ID, you might have problem to deal with users behind a certain proxy gateway, where all users will have the same IP address. although it could be used to prevent session theft (using techniques like cookie highjacking) for some level. but it should be considered that the cookie hijacker can also mimic the IP address of the victim. so checking the user session and also the IP address can be a good practice to have a higher security, but is not a bullet proof solution.

farzad  2009-03-06 10:13:11

related questions

WPF: Bind an element to two sources
Understanding Dynamic Binding
How to enable assembly bind failure logging (FUSION) in .NET
How do you bind the TextWrapping property of a TextBox to the IsChecked value of a MenuItem?
WPF ComboBox SelectedValue not updating from binding source.
How do you access the DisplayMemberPath from a ListBox when trying to bind it to the content of the ListBoxItem?
XAML : Binding textbox maxlength to Class constant
Complex model binding to a list
ElementName Binding Broken in a ControlTemplate
IIS 7.0 Multiple Domain Site Bindings
WPF Databinding and cascading Converters?
WPF Binding My.Settings collection to Combobox items
WPF binding with StringFormat doesn't work on ToolTips
What libs can I use to bind POJOs to external files for TDD without much overhead?
JavaScript Callback Scope
What are the differences between using the New keyword and calling CreateObject in Excel VBA?
What is "lambda binding" in Python?
WCF is not binding to the correct IP address
How to bind from a ContentTemplate to the surrounding custom Control?
What is the best way to generate XML Binding Code from a DTD?
binding variables to parameters in ADOdb for PHP
How can you clone a WPF object?
Get the DefaultView DataRowView from a DataRow
What are Early and Late Binding?
What is the value-binding syntax in xaml?