Hi Leigh, On Fri, Sep 27, 2013 at 7:12 PM, Leigh <lei...@gmail.com> wrote:
> So on a successful session hijack (correct SID, new IP) the attacker > gets a new SID and keeps the valid session while the legitimate user > gets kicked out. > > Not seeing how that improves things at all. > There are 2 improvements 1. Generally speaking, more frequent session ID regeneration is more security. 2. Detection/indication of attacks is good for security. Showing active sessions and possible intrusion/source of intrusion is applications task, but session ID regeneration upon IP change is easy and simple task for session module. Why not have it as optional feature? It would be better than nothing if end user has chance to know the attack. IMHO. Many systems have notification mail when password or important information have changed. Damage has already done if it is an attack, but user could know there were attack. Session ID regeneration is the same kind of counter measure. If app supports number of active sessions, user could verify if they are under session hijack attack or not. It's up to app, though. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
