Cookie Authentication From Different IP

[GoogleCodeExporter]

If a user presents a cookie for authentication and the remote IP does not
match that of the IP used during registration, force the user to
reathenticate with the userid and password.

Original issue reported on code.google.com by rdivilb...@gmail.com on 9 Mar 2010 at 4:25

[GoogleCodeExporter]

Original comment by rdivilb...@gmail.com on 9 Mar 2010 at 4:28

• Added labels: Type-Enhancement
• Removed labels: Type-Other

[GoogleCodeExporter]

Since HTTP is a stateless protocol, in order to maintain state web applications 
need
to ensure that a session identifier is sent by the browser with each request. 
The
session identifier is most commonly stored in an HTTP cookie or URL. Using a 
brute
force attack, an attacker can guess the session identifier of another user. 
This can
lead to the attacker impersonating the user, retrieving personal information and
performing actions on behalf of the user.

Session identifiers usually consist of a number or a sequence of characters. In 
order
for a brute force attack to succeed, the possible range of values for the 
session
identifier must be limited. If the predicted range of values for a session 
identifier
is very small based on existing information the attack is referred to as a 
session
prediction attack.

One way to mitigate this form of attack is to ensure the hash of the remote IP 
is
part of the cookie value.  Checking that the hash matches the hash of the IP 
used at
the time the cookie was issued is therefore required.

NOTE: This leads to a potential DOS against a valid user should the user attempt
cookie authentication from a different IP such as a wireless hot spot. This is
considered a minor inconvenience as the account holder only needs to 
reauthenticate
with their userid and password.

Original comment by rdivilb...@gmail.com on 16 Apr 2010 at 5:59