- From: Willy Tarreau <w@1wt.eu>
- Date: Wed, 1 Apr 2015 13:46:08 +0200
- To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Wed, Apr 01, 2015 at 11:32:05AM +0000, Eric Vyncke (evyncke) wrote: > In the era of scarce IPv4 addresses, servers should NOT link the HTTP session > cookies to the user-agent IP address... > > I have posted in the IETF V6OPS WG the following: > http://www.ietf.org/proceedings/92/slides/slides-92-v6ops-6.pdf > https://tools.ietf.org/html/draft-vyncke-v6ops-happy-eyeballs-cookie > > In short, heavy use of NAT and/or dual-stack (IPv4/IPv6) can cause a change > of user-agent address => lost of session. > > Any suggestion on how this can be addressed? I know at least two major web > sites in Belgium that removed IPv6 from their web site due to this issue (and > their security department not wanting to unlink IP address from the session > cookies) I'm amazed people still do that in 2015, I had the idea to do it in 1999 until I realized it was stupid and never did it! So I'd have guessed that 16 years later everyone would have also figured this! If IP addresses were stable during a session, cookies would not be needed, the address would be used instead. So it's precisely because addresses are unreliable that cookies exist. Too bad people don't learn from others' mistakes... Willy
Received on Wednesday, 1 April 2015 11:46:42 UTC