

Ask HN: Best practices for stolen session detection? - stephanos2k

We want to secure our service with additional methods of detecting a stolen HTTP session via IP&#x2F;geolocation.<p>Are there any resources to find best practices for implementing such a system?
======
chrisfarms
Detecting the location of the client by IP is not going to be very reliable,
it's a false sense of security at best. You want to make it impossible to
hijack, not detect it when it's too late!

Even tieing a session to a single source IP is not great (think stealing
sessions in a coffee shop behind NAT).

Use HTTPS.

Sign requests with a MAC (message authentication code).

Make sure your tokens expire fairly quickly and you have a method to refresh
them.

~~~
stephanos2k
Thanks for your comment!

Well, obviously we want to prevent stealing the HTTP session. But maybe
someone steals the user's password - we can't protect the user's password for
him.

So when someone from the US suddenly logs in on another continent we want to
detect that. Sure they could use a proxy, but maybe. Since it's a B2B app
people rarely use it out of the office.

I read eCommerce shops do it, payment providers as well. So there seems to be
something to it...

~~~
chrisfarms
This is where you want 2FA really.

Each time the user logs in from a new "client" ask for a 2FA code from
something like their phone.

Things like Authy and Google Authenticator make this relatively painless to
implement.

~~~
stephanos2k
We already implemented 2FA, but it's not yet forced for everyone. You don't
want to patronize your customers ;)

