?
Solved

session changing with ip from vbulletin tutorial

Posted on 2013-06-24
3
Medium Priority
?
651 Views
Last Modified: 2013-06-25
from the vbulletin forum tutorial:
Session IP Octet Length Check
Select the subnet mask that reflects the level of checking you want to run against IP addresses when a session is being fetched.

This is useful if you have a large number of users who are behind transparent proxies (for example, AOL) and have an IP address that can change randomly between requests.

The more the level is decreased the greater the security risk from session hijacking.



what does this mean
so If i have a session in the database do i have to check against ip
arent sessions saved with php

please do not just send me a general tutorial about sessions
0
Comment
Question by:rgb192
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 36

Assisted Solution

by:Loganathan Natarajan
Loganathan Natarajan earned 600 total points
ID: 39273875
http://www.vbulletin.com/docs/html/vboptions_group_server
This is used to specify to which octet an IP is verified to during session retrieval. This means that if for some reason an IP changes between requests as long as it is within the allowed length the session will remain. This is most likely to happen when an ISP has transparent proxies such is the case with AOL.

Open in new window

0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 1400 total points
ID: 39274572
This question has been on the minds of developers for a long time!
http://www.acros.si/papers/session_fixation.pdf

Bulletin boards and forums are subject to a lot of attacks (like WordPress sites) so elevated levels of security are often recommended.  One such level of security is accomplished by verifying the IP address associated with each request.  If the IP address changes between requests, the assumption is that the second request was an attack made with session hijacking.  But this assumption is inadequate for three reasons.  First, it can give a false positive if the IP address was changed because the client was an AOL dial-up.  AOL changes the IP addresses all the time.  Second, it can give a false negative if two or more clients all come to your site from the same IP address, such as might exist in an office network. Third, it depends on the IP address being accurate, but the IP address is settable in the request so there is no canonical information in the IP address.  In other words, using the IP address for security is only likely to work with clients who are not really security threats in the first place, and is likely to inconvenience a segment of the population.

There is some information here that you may want to take into account:
http://php.net/manual/en/session.security.php

You can set your own session cookies.  You can regenerate the session id.  You can follow the same rules that the Automatic Teller Machine uses -- asking for the password before each transaction that changes or exposes valuable information.

A good place to learn more is the OWASP.
0
 

Author Closing Comment

by:rgb192
ID: 39274878
I think that Ray's answer contains more data

thanks for information about ips/ sessions
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question