Ask HN: Best practices for stolen session detection?
We want to secure our service with additional methods of detecting a stolen HTTP session via IP/geolocation.
Are there any resources to find best practices for implementing such a system?
Are there any resources to find best practices for implementing such a system?
4 comments
[ 4.0 ms ] story [ 19.9 ms ] threadEven tieing a session to a single source IP is not great (think stealing sessions in a coffee shop behind NAT).
Use HTTPS.
Sign requests with a MAC (message authentication code).
Make sure your tokens expire fairly quickly and you have a method to refresh them.
Well, obviously we want to prevent stealing the HTTP session. But maybe someone steals the user's password - we can't protect the user's password for him.
So when someone from the US suddenly logs in on another continent we want to detect that. Sure they could use a proxy, but maybe. Since it's a B2B app people rarely use it out of the office.
I read eCommerce shops do it, payment providers as well. So there seems to be something to it...
Each time the user logs in from a new "client" ask for a 2FA code from something like their phone.
Things like Authy and Google Authenticator make this relatively painless to implement.