Solved

session changing with ip from vbulletin tutorial

Posted on 2013-06-24
3
630 Views
Last Modified: 2013-06-25
from the vbulletin forum tutorial:
Session IP Octet Length Check
Select the subnet mask that reflects the level of checking you want to run against IP addresses when a session is being fetched.

This is useful if you have a large number of users who are behind transparent proxies (for example, AOL) and have an IP address that can change randomly between requests.

The more the level is decreased the greater the security risk from session hijacking.



what does this mean
so If i have a session in the database do i have to check against ip
arent sessions saved with php

please do not just send me a general tutorial about sessions
0
Comment
Question by:rgb192
3 Comments
 
LVL 36

Assisted Solution

by:Loganathan Natarajan
Loganathan Natarajan earned 150 total points
ID: 39273875
http://www.vbulletin.com/docs/html/vboptions_group_server
This is used to specify to which octet an IP is verified to during session retrieval. This means that if for some reason an IP changes between requests as long as it is within the allowed length the session will remain. This is most likely to happen when an ISP has transparent proxies such is the case with AOL.

Open in new window

0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 350 total points
ID: 39274572
This question has been on the minds of developers for a long time!
http://www.acros.si/papers/session_fixation.pdf

Bulletin boards and forums are subject to a lot of attacks (like WordPress sites) so elevated levels of security are often recommended.  One such level of security is accomplished by verifying the IP address associated with each request.  If the IP address changes between requests, the assumption is that the second request was an attack made with session hijacking.  But this assumption is inadequate for three reasons.  First, it can give a false positive if the IP address was changed because the client was an AOL dial-up.  AOL changes the IP addresses all the time.  Second, it can give a false negative if two or more clients all come to your site from the same IP address, such as might exist in an office network. Third, it depends on the IP address being accurate, but the IP address is settable in the request so there is no canonical information in the IP address.  In other words, using the IP address for security is only likely to work with clients who are not really security threats in the first place, and is likely to inconvenience a segment of the population.

There is some information here that you may want to take into account:
http://php.net/manual/en/session.security.php

You can set your own session cookies.  You can regenerate the session id.  You can follow the same rules that the Automatic Teller Machine uses -- asking for the password before each transaction that changes or exposes valuable information.

A good place to learn more is the OWASP.
0
 

Author Closing Comment

by:rgb192
ID: 39274878
I think that Ray's answer contains more data

thanks for information about ips/ sessions
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction HTML checkboxes provide the perfect way for a web developer to receive client input when the client's options might be none, one or many.  But the PHP code for processing the checkboxes can be confusing at first.  What if a checkbox is…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to count occurrences of each item in an array.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now