from Hacker News

Ask HN: Best practices for stolen session detection?

by stephanos2k on 3/24/14, 3:14 PM with 4 comments

We want to secure our service with additional methods of detecting a stolen HTTP session via IP/geolocation.

Are there any resources to find best practices for implementing such a system?

  • by chrisfarms on 3/24/14, 3:44 PM

    Detecting the location of the client by IP is not going to be very reliable, it's a false sense of security at best. You want to make it impossible to hijack, not detect it when it's too late!

    Even tieing a session to a single source IP is not great (think stealing sessions in a coffee shop behind NAT).

    Use HTTPS.

    Sign requests with a MAC (message authentication code).

    Make sure your tokens expire fairly quickly and you have a method to refresh them.