Solved

session changing with ip from vbulletin tutorial

Posted on 2013-06-24
3
634 Views
Last Modified: 2013-06-25
from the vbulletin forum tutorial:
Session IP Octet Length Check
Select the subnet mask that reflects the level of checking you want to run against IP addresses when a session is being fetched.

This is useful if you have a large number of users who are behind transparent proxies (for example, AOL) and have an IP address that can change randomly between requests.

The more the level is decreased the greater the security risk from session hijacking.



what does this mean
so If i have a session in the database do i have to check against ip
arent sessions saved with php

please do not just send me a general tutorial about sessions
0
Comment
Question by:rgb192
3 Comments
 
LVL 36

Assisted Solution

by:Loganathan Natarajan
Loganathan Natarajan earned 150 total points
ID: 39273875
http://www.vbulletin.com/docs/html/vboptions_group_server
This is used to specify to which octet an IP is verified to during session retrieval. This means that if for some reason an IP changes between requests as long as it is within the allowed length the session will remain. This is most likely to happen when an ISP has transparent proxies such is the case with AOL.

Open in new window

0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 350 total points
ID: 39274572
This question has been on the minds of developers for a long time!
http://www.acros.si/papers/session_fixation.pdf

Bulletin boards and forums are subject to a lot of attacks (like WordPress sites) so elevated levels of security are often recommended.  One such level of security is accomplished by verifying the IP address associated with each request.  If the IP address changes between requests, the assumption is that the second request was an attack made with session hijacking.  But this assumption is inadequate for three reasons.  First, it can give a false positive if the IP address was changed because the client was an AOL dial-up.  AOL changes the IP addresses all the time.  Second, it can give a false negative if two or more clients all come to your site from the same IP address, such as might exist in an office network. Third, it depends on the IP address being accurate, but the IP address is settable in the request so there is no canonical information in the IP address.  In other words, using the IP address for security is only likely to work with clients who are not really security threats in the first place, and is likely to inconvenience a segment of the population.

There is some information here that you may want to take into account:
http://php.net/manual/en/session.security.php

You can set your own session cookies.  You can regenerate the session id.  You can follow the same rules that the Automatic Teller Machine uses -- asking for the password before each transaction that changes or exposes valuable information.

A good place to learn more is the OWASP.
0
 

Author Closing Comment

by:rgb192
ID: 39274878
I think that Ray's answer contains more data

thanks for information about ips/ sessions
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Move wordpress site 3 41
Really simple no curl. Send a post 3 times 4 25
PHP Form Calculate Total Price 10 42
Logic behind "best rated" calculation 11 22
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question