IP Address as Session ID

Forum Moderators: open

Message Too Old, No Replies

IP Address as Session ID

need a better approach

grahamstewart

4:44 pm on Feb 17, 2004 (gmt 0)

uses the IP as a session variable so if a user's IP changes then the session is dropped

If I can just threadjack for a moment: this is a pretty standard technique to avoid accidental or deliberate session highjacking and is especially useful when the session ID is held in the URL where it can easily be changed by the user. I've used ths approach myself after reading about it on PHP fora.

So a couple of questions:

How often does AOL rotate the IPs?

Does it force users to disconnect or does it happen in the background?

What other approaches can we use instead?

[edited by: tedster at 7:13 pm (utc) on Feb. 17, 2004]

march83

4:48 pm on Feb 17, 2004 (gmt 0)

AOL seems to rotate them silently after every couple of clicks. I use PowerPhlogger on my site as I don't have access to server logs, and one AOL user ends up counting as about 20 uniques hits as there IP keeps changing. Very annoying, but i'm sure it is done for good reason!?

Marc

beakertrail

5:01 pm on Feb 17, 2004 (gmt 0)

How often does AOL rotate the IPs?

I don't know but it appears to be fairly regularly, perhaps every 15 minutes but it is impossible for me to say. Perhaps a tech saavy AOL user can check?

Does it force users to disconnect or does it happen in the background?

It happens completely seamlessly... well it is supposed to. AOL users don't notice.

What other approaches can we use instead?

Many other web sites employ security mechanisms that do not rely on IPs. IP addresses can be spoofed after all. Cookies saved to disk and browser session cookies with encrypted session info in is the normal way of doing things. This extra level of security using the IPs is just that, extra. And in many cases, not helping.

Very annoying, but i'm sure it is done for good reason!?

It is for security. Rotating IP addresses of connected users, especially those on broadband helps stop hackers getting to the user's computer. It also stops the user from setting up FTP / Web server from their house on an AOL broadband connection.

I don't know how this works with other services running on AOL such as MSN messenger, Netmeeting, streaming media, etc.

I know it causes very inaccurate web site stats. 1 AOL user on for 10 mins shows as 1 user, but if the IP rotates, lets say, every 15 mins then if they are on for 1 hour then it shows up as 5 users.

grahamstewart

5:22 pm on Feb 17, 2004 (gmt 0)

IP addresses can be spoofed after all.

True - but so can cookies can't they? I reckon its a lot harder for me to spoof someones IP address than it is for me to either create my own cookie (which is just a text file after all) or to copy a cookie from their PC onto mine (easy enough in a networked office environment).

browser session cookies with encrypted session info

Sound a bit more like it - but surely they can be copied too?
(Though I think many browsers don't create files for 'session only' cookies).

However none of this deals with the case where the user disallows cookies (which is all too common unfortunately).

Still looking for a better solution...