Re: Session IP address matching
> I've seen the initial page and subsequent image requests for a single
> page load come from different IP addresses.
It certainly happens.
Ultimately, though, the question isn't just about ultradynamic IPs.
It's simply about the acceptable percentage of humans whose session
expiry will be 1 or 2 minutes when everybody else's is 10m or more.
These people will be unwilling to use your site if you implement this
feature and do not allow the _user_ to turn it off him/herself if
necessary.
For our site, a team-based web app, that percentage is *zero*. We
cannot under any circumstances prohibit somebody from inviting another
user who happens to roam on cellular or heavily proxied networks. I
must also allow the team manager to easily manage such a setting on
behalf of their reports, who are frequently not as technically savvy
and certainly don't want to race to get to their User Profile area in
time.
We're also addressing attackers who have sniffed your encrypted
traffic and can wedge in-between your constantly-changing session IDs
-- significant security measures that have no such collateral damage.
I guess the attackers have client certs covered as well. (Of course,
if they have this level of ownership, there's a good chance they're
being NATted through your same source IP anyway!) Is it worth shedding
potential users, potentially killing your entire business if it is
collaborative in nature, in order to thwart this probably-null set of
potential attackers? I say no, and any security auditor who
automatically penalizes you if you don't say "yes" isn't doing his/her
job.
-- Sandy
Thread (29 messages)