8

I just started reading about cookies and all the ways I can get them wrong and allow cookies to be hijacked which allows attackers to do things like impersonate a logged in user.

I don't understand why this can't be solved by simply having the server add to each cookie a signature determined by the rest of the cookie, a secret key on the server, and the IP of whoever is making the request. Stolen cookies would then be mostly useless for anyone who can't receive a response at that IP. Any readable data in a stolen cookie itself could still be accessed but stolen cookies couldn't be used to impersonate someone else.

Why doesn't this work? Is there some way to receive packets bound for an IP address that you don't control? I know that on my local network I can read packets meant for other computers on my local network but I don't think there's any way to send a copy of all the packets meant for stackoverflow.com to my residential IP.

If this was our only means of security you could still send spoofed requests but you couldn't trick the server into sending anything back to your own IP (I think) which still seems useful.

I didn't find anything about associating cookies with IPs on google so I figure this doesn't work but I don't know why.

Praxeolitic
  • 603
  • 6
  • 11
  • 1
    See also https://www.owasp.org/index.php/Session_Management#Associating_Session_Information_With_IP_Address, http://security.stackexchange.com/q/24287/971, http://security.stackexchange.com/q/35977/971, http://security.stackexchange.com/q/17073/971, http://security.stackexchange.com/q/58648/971. – D.W. Dec 10 '15 at 23:41
  • There are more laptops than desktops these days. So a single person can have many IP addresses in a single day. – slebetman Dec 11 '15 at 03:06

3 Answers3

23

If the cookie gets stolen inside a public Wifi Hotspot all users of the Hotspot have usually the same public IP address. This means binding to an IP would not help against an attacker in the same local network.

Apart from that if the public IP of users changes like it is the case with moving between networks (Mobile, WLAN university, WLAN at cafe, WLAN at home...) they would need to login again and again.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 3
    And some don't even need to move, since their ISP don't assign them static ip's – Braiam Dec 11 '15 at 05:38
  • @Braiam, you are of course right but most dynamic IPs seem stable of a timescale of days to months if you leave the router on. Even with my old router powering right down overnight (timeswitch on the mains) I could keep the same IP for weeks. – Chris H Dec 11 '15 at 09:33
  • @ChrisH: in Germany it is common that the ISP will cut the connection once a day and you get a new IP address assigned. – Steffen Ullrich Dec 11 '15 at 09:36
  • @SteffenUllrich at my house in the UK the connection drops quite frequently but randomly on some days but the IP stays the same. Is the German pattern a deliberate IP refresh or does it serve some other purpose? – Chris H Dec 11 '15 at 09:40
  • 1
    @ChrisH: traditionally it probably was to make it harder to run a public server there. But today with the cheap servers out there - I don't know. – Steffen Ullrich Dec 11 '15 at 09:46
3

Steffen Ullrich is right about the dubious security gain. The reason we don't implement it in practice is due to the former prevalence of multi-homed NAT boxes where X computers would be reduced to N IP addresses (where X >> N). The side effect in the way this worked was the next request would come from a different IP in the same subnet, and you don't know where subnet boundaries are anymore due to CIDR.

Joshua
  • 1,090
  • 7
  • 11
1

You could associate based on ip for the duration of a session, in case you're looking at an application of somesort, and age and expire that after a certain time. It is fairly certain that you would not engage in something like banking transactions for an extended periods of time, but for something like social sites, it is fairly lax.

m2kin2
  • 89
  • 2