Re: Is the way i do, secure enought to avoid session hijacking
- From: "gerry" <germ@xxxxxxxxxxx>
- Date: Thu, 26 May 2005 16:40:49 -0400
AOL requests are forwarded via proxy servers - each request is 'round
robined' through x number of proxy servers, each request in the same session
can have a different IP because they were proxied through different servers.
the internal ip address wouldn't change but that isn't the address that the
web server sees - it sees the addresses of the proxy servers. same
principle as NAT but via multiple gateways.
here is a live example from our IIS logs files - some names have been
changed to protect the innocent ;-) :
2004-08-05 19:08:18 152.163.253.33 - 80 GET /valens.htm - 200
www.oursite.com
Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1) -
2004-08-05 19:09:05 152.163.252.101 - 80 GET /announcements.htm - 200
www.oursite.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/valens.htm
2004-08-05 19:09:07 152.163.252.194 - 80 GET
/_derived/announcements.htm_cmp_glacier-roots010_bnr.gif - 200
www.oursite.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/announcements.htm
2004-08-05 19:09:09 152.163.253.36 - 80 GET /images/AN01249_.gif - 200
www.oursite.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/announcements.htm
2004-08-05 19:09:18 152.163.252.100 - 80 GET /family_forest.htm - 200
www.oursite.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/announcements.htm
2004-08-05 19:09:20 152.163.252.194 - 80 GET
/_derived/family_forest.htm_cmp_glacier-roots010_bnr.gif - 200
www.oursite.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/family_forest.htm
2004-08-05 19:09:42 152.163.253.9 - 80 GET /gallery.htm - 200
www.oursite.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/family_forest.htm
2004-08-05 19:09:46 152.163.252.196 - 80 GET
/_derived/gallery.htm_cmp_glacier-roots010_bnr.gif - 200 www.oursite.com
Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/gallery.htm
2004-08-05 19:09:52 152.163.253.36 - 80 GET /contacts.htm - 200
www.oursite.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/gallery.htm
2004-08-05 19:09:53 152.163.252.98 - 80 GET
/_derived/contacts.htm_cmp_glacier-roots010_bnr.gif - 200 www.oursite.com
Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/contacts.htm
2004-08-05 19:10:05 152.163.253.98 - 80 GET /guest_book.htm - 200
www.oursite.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/contacts.htm
2004-08-05 19:10:08 152.163.252.104 - 80 GET
/_derived/guest_book.htm_cmp_glacier-roots010_bnr.gif - 200 www.oursite.com
Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/guest_book.htm
2004-08-05 19:10:18 152.163.253.103 - 80 GET /home.htm - 200 www.oursite.com
Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/guest_book.htm
2004-08-05 19:10:19 152.163.252.101 - 80 GET
/_derived/valens.htm_cmp_glacier-roots010_vbtn_a.gif - 200 www.oursite.com
Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/
2004-08-05 19:10:19 152.163.253.36 - 80 GET
/_derived/home.htm_cmp_glacier-roots010_bnr.gif - 200 www.oursite.com
Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/
2004-08-05 19:10:19 152.163.253.103 - 80 GET
/_derived/valens.htm_cmp_glacier-roots010_vbtn.gif - 200 www.oursite.com
Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/
2004-08-05 19:10:19 152.163.253.100 - 80 GET /images/j0174006.gif - 200
www.oursite.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/
2004-08-05 19:10:19 152.163.253.101 - 80 GET /images/HM00287_.gif - 200
www.oursite.com Mozilla/4.0+(compatible;+MSIE+6.0;+AOL+9.0;+Windows+NT+5.1)
http://www.oursite.com/
2004-08-05 19:10:21 152.163.252.98 - 80 GET
/_themes/glacier-roots/aglabul1.gif - 200 www.oursite.com
Mozilla/4.0+(compatible;+MSIE+6.0;+A
"Kevin Spencer" <kevin@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OglHMmiYFHA.1040@xxxxxxxxxxxxxxxxxxxxxxx
> Within the AOL LAN, IP addresses are assigned on a per-client-session
basis,
> if I'm not mistaken (at least with dial-up connections). But again, this
is
> not my area of expertise. Still, I understand quite a bit about networks,
> and I can't imagine why an IP address of a machine inside a network would
> change within the same client session. It is, again, the "return address"
of
> the computer on the network.
>
> --
> HTH,
>
> Kevin Spencer
> Microsoft MVP
> .Net Developer
> Sometimes you eat the elephant.
> Sometimes the elephant eats you.
>
> "gerry" <germ@xxxxxxxxxxx> wrote in message
> news:OcbepXiYFHA.3152@xxxxxxxxxxxxxxxxxxxxxxx
> > are you sure about that ?
> > from what I have read about AOL proxies and what i see in my IIS logs -
it
> > seems that this is not true and that there can be multiple ip's for a
> > single
> > client within a session.
> > i don't have the asp.net session id in the log files so i can't be 100%
> > certain.
> > Gerry
> >
> >
> >
> > "Kevin Spencer" <kevin@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:OLVN9UhYFHA.3184@xxxxxxxxxxxxxxxxxxxxxxx
> >> Hi Hope,
> >>
> >> Your method looks pretty sound to me. The client's IP address cannot
> > change
> >> between requests. It is, after all, the "return address" for the
client's
> >> HTTP messages.
> >>
> >> --
> >> HTH,
> >>
> >> Kevin Spencer
> >> Microsoft MVP
> >> .Net Developer
> >> Sometimes you eat the elephant.
> >> Sometimes the elephant eats you.
> >>
> >> "Hope Paka" <utezduyar@xxxxxxxxxxx> wrote in message
> >> news:esEDt7gYFHA.2684@xxxxxxxxxxxxxxxxxxxxxxx
> >> >I am storing user login information (not password) in the session. I
> >> >also
> >> >use, cookieless session. I realized that, if someone copy-pastes the
URL
> >> >after he/she logged in to the system to another person, the other
> > person's
> >> >browser opens as if the sender logged in.
> >> >
> >> > 1) Person A Logins to the system. (login information is stored
in
> > SQL
> >> > Session state)
> >> >
> >> > 2) Person A copy-paster the url and sends it to person B (format
> >> > of
> >> > the url is http://domain/(sessionid)/XYZ.aspx)
> >> >
> >> > 3) When person B opens the URL, its window opens as if person A
> >> > was
> >> > logged in to the system.
> >> >
> >> > This is a security threat. I have overcome this by doing the
following.
> >> >
> >> > When user logins to the system, a login ticket is
generated
> > and
> >> > it is stored in the session. This login ticket contains two things,
one
> > is
> >> > client ip address, the other one is user-agent.
> >> >
> >> > Then at the each request, I validate if the registered login ticket
> >> > information is same.
> >> >
> >> > If person A sends URL to person B, then I assumed that, person Bs ip
> >> > address should be different than person A.
> >> >
> >> > I found an article on MSND,
> >> > http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/ (Foiling
> >> > Session Hijacking Attempts). The way Jeff have done is similar to the
> > one
> >> > that i have done. Is this relaible. The only think i wonder is if the
> >> > users IP address changes at each request!
> >> >
> >> >
> >>
> >>
> >
> >
>
>
.
- References:
- Is the way i do, secure enought to avoid session hijacking
- From: Hope Paka
- Re: Is the way i do, secure enought to avoid session hijacking
- From: Kevin Spencer
- Re: Is the way i do, secure enought to avoid session hijacking
- From: gerry
- Re: Is the way i do, secure enought to avoid session hijacking
- From: Kevin Spencer
- Is the way i do, secure enought to avoid session hijacking
- Prev by Date: Re: Server.MapPath: Returning a URL instead of a HD Location
- Next by Date: Access denied attempting to launch a DCOM Server. The server is: {000C101C-0000-0000-C000-000000000046} The user is ASPNET/ServerName, SID=S-1-5-21-1606980848-602162358-1801674531-1007.
- Previous by thread: Re: Is the way i do, secure enought to avoid session hijacking
- Next by thread: Re: Is the way i do, secure enought to avoid session hijacking
- Index(es):
Relevant Pages
|
