[drupal-devel] [feature] Bind session to User Agent

chx drupal-devel at drupal.org
Sat Apr 2 15:34:00 UTC 2005 

Issue status update for http://drupal.org/node/19845

 Project:      Drupal
 Version:      cvs
 Component:    base system
 Category:     feature requests
 Priority:     critical
 Assigned to:  chx
 Reported by:  chx
 Updated by:   chx
 Status:       patch

Forgot to change the title.


chx



Previous comments:
------------------------------------------------------------------------

April 2, 2005 - 00:50 : chx

Attachment: http://drupal.org/files/issues/bindip.patch (896 bytes)

This would make session hijacking more than a bit harder. 
The code can be compacted even more, but I did not dare.


------------------------------------------------------------------------

April 2, 2005 - 01:51 : danielc

IP's can change during a session.  So, this isn't a good idea.


------------------------------------------------------------------------

April 2, 2005 - 02:23 : chx

I read a Zope coders' thread [1] on this, and they proposed it as
optional, but on as default. So, admin/settings? Or -- and I'd prefer
this one -- settings.php?
[1] http://mail.zope.org/pipermail/zope-coders/2004-October/005239.html


------------------------------------------------------------------------

April 2, 2005 - 03:18 : vauxia

The concern over transient IPs is only going to get worse as time goes
by.  
You've got your load-balanced proxy servers, dropped-and-restored
dial-up connections (yes, people still do use dial-up!).   plus there
are all those laptops and handheld devices accessing various wireless
and wired networks throughout the day.
On an average day, my laptop accesses the internet from no less than
3-4 different IP addresses, and I would get right feisty if I kept
losing my Drupal session every time.  I work with a lot of people who
administer Drupal sites but aren't that technically adept.  If they had
a problem with feisty laptop owners I would want them to be able to
change the settings easily, which means that the settings should be in
admin.
Many ISPs and most corporations use some kind of NAT, which means that
binding to IP addresses isn't that effective anyway.  True, you limit
the number of clients that can use a session by restricting to IP - but
I'm more concerned about my coworker impersonating me than I am about a
random stranger lucking out with my session_id.  So restricting by IP
causes problems without really fixing any real ones.
One thought is to bind the session to USER_AGENT.  It is still
guessable and spoofable, and certainly not perfect.  But it does not
change for at least as long as the user keeps their browser open and
can vary quite significantly (browser, plug-ins, revision/build, OS,
etc.).  It has many benefits over using the IP, with the only real
trade-off being that it is easier to spoof.


------------------------------------------------------------------------

April 2, 2005 - 15:57 : kbahey

I agree that this should not be included as a standard features.
Entire ISPs and even countries are behind proxies that could change the
IP address within the same session. This would cause havoc for those
behind such proxies. They would not be able to have a meaningful Drupal
session at all.
-1 for that reason.


------------------------------------------------------------------------

April 2, 2005 - 16:33 : chx

Attachment: http://drupal.org/files/issues/session.inc_3.patch (686 bytes)

So be it.

More information about the drupal-devel mailing list