l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
August 5: Social gathering
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2003 Feb 19 11:37

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] Security & IP
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] Security & IP



On Wed, Feb 19, 2003 at 12:12:27PM -0500, Alan H. Lake wrote:
> I'm creating a PHP program that I'd like to protect against an attempt
> to "hijack" a session.  I want to insure that the IP address of the
> machine using the session is the same as that which started the
> session.  The approach that I'm using is that, if the session's IP is
> not stored in the session file, I'll store it.  If it is, I check to see
> whether it matches the current IP.  If the two don't match, I think I've
> been hijacked.

Well, since this method only protects someone from attackers with other
world-visible IP addresses, leaving no protection from attackers who
might be behind the same proxy, or attackers who have access to a
router between your server and the user--and since there are easier
methods--I wouldn't really have bothered with this, but...

> 
> The problem is that I'm getting a false alarm because the 4th node of
> the current IP doesn't always match that of the IP that started the
> session.  The other three nodes do match.
> 
> Here are my questions.  Do I have adequate protection if I check just
> the first three nodes?  Is there a better way to detect such an attempt?

I can't figure out how this could be: is a proxy choosing between a
group of IPs at whim for masquerades? I can't think of why this would be...

But to answer your question: no. It leaves the victim susceptible to
attack by up to 254 other users. Still better than *everybody*, but
it's still just limited protection.

> The PHP code that I am using to get the IP addresses is this:
>   if (getenv(HTTP_X_FORWARDED_FOR))
>     $ipaddr = getenv(HTTP_X_FORWARDED_FOR);
>   else
>     $ipaddr = $REMOTE_ADDR;

You should just use $REMOTE_ADDR. In this case, you *do* want the IP
of the ISP's proxy server, since that's the only IP address that you are
actually in contact with. This still leaves the user open to attack
from others on the same ISP.... But I'll bet that's why you're getting
different IPs for the same session: Maybe the ISP is setting
X-Forwarded-For: for some requests and not others; or maybe it is
setting them erroneously. Either way, you will get different results
each time. But (I'm pretty sure) you can't get different IPs for
$REMOTE_ADDR if you're being accessed by the same machine for a
session.

As I've pointed out a couple times, there are still, in pretty much
all cases, groups of users who can "hijack" the session, if you are
vulnerable to such attacks. A better idea is just to use a fairly
random selection process for the session id, with enough bits that one
couldn't hijack the session without knowing the id. As to those who
are along the route such that they *can* see the id, blocking by IP
only affords limited protection, since IP-spoofing is a possibility in
that case.

In most cases, it's simply not worth worrying about people who can spy
"on-route", since that is usually only a theoretical vulnerability
(i.e., few crackers actually practice this, or are in a position
to). In those cases where extreme security must be exercised, you can
use HTTPS, or a challenge-response-style authentication for every HTTP
request.

HTH; just my $0.02,
Micah
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.