| Author |
 Topic  |
|
|
Carefree
Advanced Member
Philippines
4207 Posts |
 Posted - 04 February 2016 : 15:39:18
|
| I need a method for ASP which will determine if a user's name/password and/or session is already active with a different IP address. I searched the web, but haven't found anything that I can use yet. |
|
|
HuwR
Forum Admin
United Kingdom
20579 Posts |
Posted - 04 February 2016 : 15:53:23
|
| you could put some code in gloabal asa to log ip and time,then check that data whenever a new session starts, however it won't be that accurate since you can request a new session quite legitimately before a previous one has expired |
MVC .net dev/test site | MVC .net running on Raspberry Pi |
 |
|
|
Carefree
Advanced Member
Philippines
4207 Posts |
Posted - 04 February 2016 : 18:52:10
|
Thought of a way to do it. Record IP address at login. On all pages other than login, compare that value to Request.ServerVariables("REMOTE_ADDR"). If two don't match, someone else has logged in with same credentials.
|
|
|
|
AnonJr
Moderator
United States
5765 Posts |
Posted - 05 February 2016 : 15:04:03
|
Semi-random question: if I'm browsing on my phone or tablet's cell connection and I cross enough cell nodes, will my IP change?
I ask only because I'm wondering what circumstances could cause a legit change in IP, and what edge cases you might want to be aware of. |
|
|
|
Carefree
Advanced Member
Philippines
4207 Posts |
Posted - 05 February 2016 : 15:57:24
|
| It will not impact this. The IP address will not be updated in the database except upon login. It can be checked by a number of pages against the server variables. If they don't match, then someone has shared his/her credentials with a friend/co-worker; or has been hacked. No matter which, it will result in immediate termination of access. |
|
|
|
AnonJr
Moderator
United States
5765 Posts |
Posted - 05 February 2016 : 16:27:37
|
I think I get what you're after - a way to see if someone's credentials are being used by two different people at the same time as a means of checking if the person's credentials are being used in an unauthorized fashion. The mechanism used to accomplish that being to look for simultaneous requests from different IP addresses, under the assumption that if a hit comes in at 13:22:22 from 204.23.211.12 and a hit comes in at 13:25:10 from 180.12.222.21 then one of the two is an unauthorized use of the credentials and therefore needs to be terminated.
The main thrust of my question was if there are circumstances that could cause a false-positive (or a false-negative now that I really put some thought into it) in that kind of check, and if they are likely enough to warrant some consideration.
The example that I initially had in mind: I'm on my LTE-enabled tablet riding the bus in to work. If I cross enough cell nodes, will I change IP addresses? Will the change in IP addresses create the illusion that two different people are connecting?
The other example that came to mind as I was refining this post: I'm in a coffee shop with open WiFi and someone watching too many Hak5 episodes and not enough ethics classes nabs the cookie in transit (or uses some other means to duplicate my credentials), because they're behind the same router on the coffee shop's WiFi they're going to show as the same IP. The whole thing with FireSheep from a while back comes to mind.
I'm wondering if there may be other scenarios more likely than that that may warrant a re-think of how to address the core issue.
I'm also wondering about the likelihood that a different individual using the same credentials would be on at the same time as the original user.
Please don't hear what I'm not saying: I'm not saying the idea should be tossed out or that it's completely wrong. It certainly would cover the "I live in AU, but someone in CN is trying to log in as me" type scenario.
This was just an attempt to help a little by way of questions. There have been times I wish someone would have made me go through my assumptions and premises a little more thoroughly before I put in all that work... on the other hand I've been accused (sometimes with good reason) of over-thinking things.  |
|
|
|
Carefree
Advanced Member
Philippines
4207 Posts |
Posted - 06 February 2016 : 04:49:52
|
If user A signs in, his/her IP address will be recorded during that process and a cookie written with the information. The cookie will include not only credential information but IP address and date/time of connection. User A can do whatever is authorized for that account. Now, if someone else signs in using the same credentials (regardless of how he/she obtained them), that address and/or date/time will change.
When User A next changes pages (or refreshes the current one), his/her IP address will no longer match what the login data reflects. Then the cookie will be checked for a match. If there is a match, access will be allowed to continue (covering a single mobile user's connection). This will not eliminate the cookie grabbing capability.
However, if there is no match between the cookie and database, credentials have been duplicated, and access will be terminated for both User A and the unauthorized user. User A will then have to contact the staff and request a new password and restoration of privileges.
The only way to be 100% sure of authorized users only would require capturing the machine's information itself and restricting connections to authorized equipment. The problem with that approach is determining whether the person(s) submitting the information remotely are really the authorized users. They would have to visit one of the physical locations of authorized government offices to have their machine's data submitted.
In the event of lost/stolen equipment, three consecutive failed login attempts will also lock the account, generating EMail to User A and to the security team. The security team will generate a trace on the equipment, and if it is government property or if it contains sensitive data, will dispatch a team to retrieve it. The current holder of the equipment will probably not enjoy the experience.
|
Edited by - Carefree on 06 February 2016 05:05:20 |
|
|
| |
Topic |
|
Detect Duplicate Credentials
