Re: Linking a cookie to an IP address is a very bad in 2015... from Max Bruce on 2015-04-01 (ietf-http-wg@w3.org from April to June 2015)

From: Max Bruce <max.bruce12@gmail.com>
Date: Wed, 1 Apr 2015 12:57:56 -0700
To: Willy Tarreau <w@1wt.eu>
Cc: Jim Manico <jim@manico.net>, Michael Sweet <msweet@apple.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CABb0SYTpk+rOB_1m5x5ahH1jDv30Ypx7Bu-k86wStg5mmO0R3w@mail.gmail.com>

That's a great point. What about User-Agent checking?

On Wed, Apr 1, 2015 at 12:54 PM, Willy Tarreau <w@1wt.eu> wrote:

> On Wed, Apr 01, 2015 at 12:48:36PM -0700, Max Bruce wrote:
> > What about linking to several? I wrote a session system for my Web Server
> > that will only allow access to the original Session ID if the IP &
> > User-Agent has remained unchanged, in order to protect against session
> > hijacking. I've found it's highly effective, unless you IP Spoof.
>
> Sure it's highly effective. Just like it's highly effective in randomly
> denying access to people who browse using multiple WiFi access point or
> who switch between 3G and WiFi.
>
> Willy
>
>

Received on Wednesday, 1 April 2015 19:58:24 UTC