[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 656
  • Last Modified:

session changing with ip from vbulletin tutorial

from the vbulletin forum tutorial:
Session IP Octet Length Check
Select the subnet mask that reflects the level of checking you want to run against IP addresses when a session is being fetched.

This is useful if you have a large number of users who are behind transparent proxies (for example, AOL) and have an IP address that can change randomly between requests.

The more the level is decreased the greater the security risk from session hijacking.



what does this mean
so If i have a session in the database do i have to check against ip
arent sessions saved with php

please do not just send me a general tutorial about sessions
0
rgb192
Asked:
rgb192
2 Solutions
 
Loganathan NatarajanLAMP DeveloperCommented:
http://www.vbulletin.com/docs/html/vboptions_group_server
This is used to specify to which octet an IP is verified to during session retrieval. This means that if for some reason an IP changes between requests as long as it is within the allowed length the session will remain. This is most likely to happen when an ISP has transparent proxies such is the case with AOL.

Open in new window

0
 
Ray PaseurCommented:
This question has been on the minds of developers for a long time!
http://www.acros.si/papers/session_fixation.pdf

Bulletin boards and forums are subject to a lot of attacks (like WordPress sites) so elevated levels of security are often recommended.  One such level of security is accomplished by verifying the IP address associated with each request.  If the IP address changes between requests, the assumption is that the second request was an attack made with session hijacking.  But this assumption is inadequate for three reasons.  First, it can give a false positive if the IP address was changed because the client was an AOL dial-up.  AOL changes the IP addresses all the time.  Second, it can give a false negative if two or more clients all come to your site from the same IP address, such as might exist in an office network. Third, it depends on the IP address being accurate, but the IP address is settable in the request so there is no canonical information in the IP address.  In other words, using the IP address for security is only likely to work with clients who are not really security threats in the first place, and is likely to inconvenience a segment of the population.

There is some information here that you may want to take into account:
http://php.net/manual/en/session.security.php

You can set your own session cookies.  You can regenerate the session id.  You can follow the same rules that the Automatic Teller Machine uses -- asking for the password before each transaction that changes or exposes valuable information.

A good place to learn more is the OWASP.
0
 
rgb192Author Commented:
I think that Ray's answer contains more data

thanks for information about ips/ sessions
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now