- From: Eric Vyncke (evyncke) <evyncke@cisco.com>
- Date: Wed, 1 Apr 2015 11:52:04 +0000
- To: Willy Tarreau <w@1wt.eu>
- CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Indeed, people never learn... OTOH, linking a session cookie to the user-agent IP address renders 'session cookie stealing' much more difficult -éric On 1/04/15 13:46, "Willy Tarreau" <w@1wt.eu> wrote: >On Wed, Apr 01, 2015 at 11:32:05AM +0000, Eric Vyncke (evyncke) wrote: >> In the era of scarce IPv4 addresses, servers should NOT link the HTTP >>session >> cookies to the user-agent IP address... >> >> I have posted in the IETF V6OPS WG the following: >> http://www.ietf.org/proceedings/92/slides/slides-92-v6ops-6.pdf >> https://tools.ietf.org/html/draft-vyncke-v6ops-happy-eyeballs-cookie >> >> In short, heavy use of NAT and/or dual-stack (IPv4/IPv6) can cause a >>change >> of user-agent address => lost of session. >> >> Any suggestion on how this can be addressed? I know at least two major >>web >> sites in Belgium that removed IPv6 from their web site due to this >>issue (and >> their security department not wanting to unlink IP address from the >>session >> cookies) > >I'm amazed people still do that in 2015, I had the idea to do it in 1999 >until I realized it was stupid and never did it! So I'd have guessed that >16 years later everyone would have also figured this! If IP addresses >were stable during a session, cookies would not be needed, the address >would be used instead. So it's precisely because addresses are unreliable >that cookies exist. > >Too bad people don't learn from others' mistakes... > >Willy >
Received on Wednesday, 1 April 2015 12:09:22 UTC