search

vatesfr / xen-orchestra

The global orchestration solution to manage and backup XCP-ng and XenServer.
https://xen-orchestra.com
Other
789 stars 267 forks source link

Feature Request: Session Killing on Client IP Change #3847

Open LPJon opened 5 years ago

LPJon commented 5 years ago

Context

Expected behavior

When a client's (web browser) IP changes with a CURRENTLY ACTIVE session the session is killed and the user is logged out of the session immediately. This protects the session cookie from being stolen from the current "Good" client and being used at another "Bad" client or IP address which bypasses the need for a username and password.

Current behavior

When a client's (web browser) IP changes with a CURRENTLY ACTIVE session the session is not killed and the user is capable of being logged into both sessions at the same time from two different IP's. This allows a "Good" and "Bad" user to be logged into a current session at the same time making it possible to "hijack" a currently active session.

julien-f commented 5 years ago

Is it necessary to invalidate the authentication token or can we simply restrict it to a given IP address?

LPJon commented 5 years ago

Invalidation is preferred. IP restriction could be hacked by ARP poisoning. Which opens man in the middle attacks. If the bad client were to mimic a MAC address the same IP may be assigned to the bad client which would restrict the good client (kicking them out of the session) and give access to the bad client. It is better to destroy the compromised session and force the good user to log back in.

Note: ARP poisoning would most likely not matter if the session connection to the server is encrypted by https. However, if the bad client were able to steal the authentication token in an insecure way...say through a browser attack then https wouldn't matter. That problem is listed as another feature request where the cookie flags are set by XO so the browser knows to only send those cookies over an https connection and actively refuses to send them over an insecure one. Usually in that particular case the browser will detect an issue and destroy the session from the client side.

LPJon commented 5 years ago

If IP restriction was the only option I would still rather have that than nothing at all.