Users should have a possibility to optionally increase the security of their Zabbix instance by enabling IP address/User-Agent string binding to their session.

This feature means rejecting user sessions that come from other IP addresses or other User-Agents than the one user originally logged in. This way session-hijacking could in theory be prevented in most scenarios. It goes well together with MFA. Session hijacking bypasses MFA completely. IP/User-Agent binding would protect an exposed session and MFA protects exposed credentials. These two security features nicely "cover" for the other's weaknesses.

This feature comes with a potential UX downgrade, meaning that it should be optional.

Additionally, see more detailed risk analysis in the linked ZBXSEC.

🛠️ Implementation considerations

Possible implementation

• Save the IP address of a user when they log in.
• Save the User-Agent string of a user when they log in.
• Whenever the user session is validated, also make sure the IP address and the User-Agent string are the same.
• If IP address or User-Agent string is different, invalidate the session and redirect the user to the login page.
  • Some sort of error message stating that the session has ended would be nice.
• UI is needed, probably two checkboxes under Administration > General  > Other > Security.

Downsides

Implementing IP/User-Agent binding has some downsides:

• UX downgrade:
  • The user's IP could change, making them relog.
  • A browser update would possibly change the User-Agent string and log the user out.
• Performance overhead (checking these values every request).
• If Zabbix is behind a reverse proxy then additional configuration for the reverse proxy is required to pass the IP addresses.
  • If this step is not done it just means all sessions will be bound to the reverse proxy's IP, negating the protection of this feature.

Questions

• Are there browser requests that don't include the User-Agent header?
• How strict should the User-Agent validation be?