- From: Willy Tarreau <w@1wt.eu>
- Date: Wed, 1 Apr 2015 13:58:39 +0200
- To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Wed, Apr 01, 2015 at 11:52:04AM +0000, Eric Vyncke (evyncke) wrote: > Indeed, people never learn... > > OTOH, linking a session cookie to the user-agent IP address renders > 'session cookie stealing' much more difficult Yes, and accessibility as well. While I definitely understand the principle of considering a source address to help with the triage of requests when dealing with a massive attack, in which case it will definitely get rid of a few valid users, it's absurd to do it by default. Regards, Willy
Received on Wednesday, 1 April 2015 11:59:06 UTC