Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

session changing with ip from vbulletin tutorial

Posted on 2013-06-24
3
Medium Priority
?
653 Views
Last Modified: 2013-06-25
from the vbulletin forum tutorial:
Session IP Octet Length Check
Select the subnet mask that reflects the level of checking you want to run against IP addresses when a session is being fetched.

This is useful if you have a large number of users who are behind transparent proxies (for example, AOL) and have an IP address that can change randomly between requests.

The more the level is decreased the greater the security risk from session hijacking.



what does this mean
so If i have a session in the database do i have to check against ip
arent sessions saved with php

please do not just send me a general tutorial about sessions
0
Comment
Question by:rgb192
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 36

Assisted Solution

by:Loganathan Natarajan
Loganathan Natarajan earned 600 total points
ID: 39273875
http://www.vbulletin.com/docs/html/vboptions_group_server
This is used to specify to which octet an IP is verified to during session retrieval. This means that if for some reason an IP changes between requests as long as it is within the allowed length the session will remain. This is most likely to happen when an ISP has transparent proxies such is the case with AOL.

Open in new window

0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 1400 total points
ID: 39274572
This question has been on the minds of developers for a long time!
http://www.acros.si/papers/session_fixation.pdf

Bulletin boards and forums are subject to a lot of attacks (like WordPress sites) so elevated levels of security are often recommended.  One such level of security is accomplished by verifying the IP address associated with each request.  If the IP address changes between requests, the assumption is that the second request was an attack made with session hijacking.  But this assumption is inadequate for three reasons.  First, it can give a false positive if the IP address was changed because the client was an AOL dial-up.  AOL changes the IP addresses all the time.  Second, it can give a false negative if two or more clients all come to your site from the same IP address, such as might exist in an office network. Third, it depends on the IP address being accurate, but the IP address is settable in the request so there is no canonical information in the IP address.  In other words, using the IP address for security is only likely to work with clients who are not really security threats in the first place, and is likely to inconvenience a segment of the population.

There is some information here that you may want to take into account:
http://php.net/manual/en/session.security.php

You can set your own session cookies.  You can regenerate the session id.  You can follow the same rules that the Automatic Teller Machine uses -- asking for the password before each transaction that changes or exposes valuable information.

A good place to learn more is the OWASP.
0
 

Author Closing Comment

by:rgb192
ID: 39274878
I think that Ray's answer contains more data

thanks for information about ips/ sessions
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question