[vox-tech] Security & IP

Micah J. Cowan vox-tech@lists.lugod.org
Wed, 19 Feb 2003 10:13:25 -0800 

On Wed, Feb 19, 2003 at 12:12:27PM -0500, Alan H. Lake wrote:
> I'm creating a PHP program that I'd like to protect against an attempt
> to "hijack" a session.  I want to insure that the IP address of the
> machine using the session is the same as that which started the
> session.  The approach that I'm using is that, if the session's IP is
> not stored in the session file, I'll store it.  If it is, I check to see
> whether it matches the current IP.  If the two don't match, I think I've
> been hijacked.

Well, since this method only protects someone from attackers with other
world-visible IP addresses, leaving no protection from attackers who
might be behind the same proxy, or attackers who have access to a
router between your server and the user--and since there are easier
methods--I wouldn't really have bothered with this, but...

> 
> The problem is that I'm getting a false alarm because the 4th node of
> the current IP doesn't always match that of the IP that started the
> session.  The other three nodes do match.
> 
> Here are my questions.  Do I have adequate protection if I check just
> the first three nodes?  Is there a better way to detect such an attempt?

I can't figure out how this could be: is a proxy choosing between a
group of IPs at whim for masquerades? I can't think of why this would be...

But to answer your question: no. It leaves the victim susceptible to
attack by up to 254 other users. Still better than *everybody*, but
it's still just limited protection.

> The PHP code that I am using to get the IP addresses is this:
>   if (getenv(HTTP_X_FORWARDED_FOR))
>     $ipaddr = getenv(HTTP_X_FORWARDED_FOR);
>   else
>     $ipaddr = $REMOTE_ADDR;

You should just use $REMOTE_ADDR. In this case, you *do* want the IP
of the ISP's proxy server, since that's the only IP address that you are
actually in contact with. This still leaves the user open to attack
from others on the same ISP.... But I'll bet that's why you're getting
different IPs for the same session: Maybe the ISP is setting
X-Forwarded-For: for some requests and not others; or maybe it is
setting them erroneously. Either way, you will get different results
each time. But (I'm pretty sure) you can't get different IPs for
$REMOTE_ADDR if you're being accessed by the same machine for a
session.

As I've pointed out a couple times, there are still, in pretty much
all cases, groups of users who can "hijack" the session, if you are
vulnerable to such attacks. A better idea is just to use a fairly
random selection process for the session id, with enough bits that one
couldn't hijack the session without knowing the id. As to those who
are along the route such that they *can* see the id, blocking by IP
only affords limited protection, since IP-spoofing is a possibility in
that case.

In most cases, it's simply not worth worrying about people who can spy
"on-route", since that is usually only a theoretical vulnerability
(i.e., few crackers actually practice this, or are in a position
to). In those cases where extreme security must be exercised, you can
use HTTPS, or a challenge-response-style authentication for every HTTP
request.

HTH; just my $0.02,
Micah