- From: Eric Vyncke (evyncke) <evyncke@cisco.com>
- Date: Wed, 1 Apr 2015 11:32:05 +0000
- To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Received on Wednesday, 1 April 2015 11:32:52 UTC
In the era of scarce IPv4 addresses, servers should NOT link the HTTP session cookies to the user-agent IP address... I have posted in the IETF V6OPS WG the following: http://www.ietf.org/proceedings/92/slides/slides-92-v6ops-6.pdf https://tools.ietf.org/html/draft-vyncke-v6ops-happy-eyeballs-cookie In short, heavy use of NAT and/or dual-stack (IPv4/IPv6) can cause a change of user-agent address => lost of session. Any suggestion on how this can be addressed? I know at least two major web sites in Belgium that removed IPv6 from their web site due to this issue (and their security department not wanting to unlink IP address from the session cookies) Comments are welcome -éric
Received on Wednesday, 1 April 2015 11:32:52 UTC