Binding a user session to an IP address

Link copied to clipboard

Session hijacking is a hacker practice: a fraudster obtains a valid session ID and uses it to gain unauthorized access to the system. The SSL encryption used by PortaSwitch provides adequate protection against most of these kinds of traffic interception attacks. However, there might still be a slight possibility that a hacker can guess the session ID or that, while travelling through a high-fraud-risk country, an end user may connect to an unscrupulous internet provider that has the means to decrypt traffic and leaks sensitive information to fraudsters.

Binding a user session to an IP address protects PortaBilling web interface users from the above-described risks.

This is how it works:

When a user logs in to the web interface, the created session is associated with the user’s current IP address. The system subsequently discards all access attempts from other IP addresses within that session. It also sends a notification to the user when such an attempt occurs.

Thus, even if someone manages to steal a session ID, it is of no use to the fraudster.

In the case of a legitimate IP address change (for example, the user has reconnected to the Internet via a different WLAN), the user sees a notification page with information on how they can continue their work. The user has two options: either authorize their new IP address by following the link provided in the notification email, or simply re-login.

To enable the binding of a user session to an IP address, an administrator must go to the Configuration server web interface and set the Security.EnableSessionIdProtection option to Yes.

It is possible to additionally configure the following options in the Security group on the Configuration server web interface:

  • How many IP addresses can be authorized within the same session.

  • After how many access attempts from an unknown IP the system will reject subsequent ones without any notification.

On this page