I recently read an article on how to make ASP.NET sessions more secure here and at first it seems really useful.
Previously, I saved the user's IP address in the session, and then monitored each subsequent request so that the requesting IP was equal to the stored IP address.
The code in this article also protects the session by checking the IP address, except that it stores a message authentication hash containing the user's IP address as part of the session cookie. It creates a hashed MAC twice for each request, which I believe will slow things down a bit.
I already see a potential flaw in their code: if you somehow mastered the key used to create the MAC, you could generate a valid MAC with your own IP address, you would not even have to fake the IP address on which it was running session.
It seems that this is too complicated a simple task, which not only requires a lot of overhead, but is also more prone to attack than the trivial method - if I have not completely missed the point.
So why would this approach be safer than the simpler approach I used?
As a minor aspect, the author also states that you should not use the entire IP address in comparison, as some user IP addresses change each request if they are located behind a proxy server. Is this still the case if you check X_FORWARDED_FOR?
Thanks!
stewartml
source share