Ask HN: Best practices for stolen session detection?

2 points by stephanos2k ↗ HN
We want to secure our service with additional methods of detecting a stolen HTTP session via IP/geolocation.

Are there any resources to find best practices for implementing such a system?

4 comments

[ 4.0 ms ] story [ 19.9 ms ] thread
Detecting the location of the client by IP is not going to be very reliable, it's a false sense of security at best. You want to make it impossible to hijack, not detect it when it's too late!

Even tieing a session to a single source IP is not great (think stealing sessions in a coffee shop behind NAT).

Use HTTPS.

Sign requests with a MAC (message authentication code).

Make sure your tokens expire fairly quickly and you have a method to refresh them.

Thanks for your comment!

Well, obviously we want to prevent stealing the HTTP session. But maybe someone steals the user's password - we can't protect the user's password for him.

So when someone from the US suddenly logs in on another continent we want to detect that. Sure they could use a proxy, but maybe. Since it's a B2B app people rarely use it out of the office.

I read eCommerce shops do it, payment providers as well. So there seems to be something to it...

This is where you want 2FA really.

Each time the user logs in from a new "client" ask for a 2FA code from something like their phone.

Things like Authy and Google Authenticator make this relatively painless to implement.

We already implemented 2FA, but it's not yet forced for everyone. You don't want to patronize your customers ;)