Re: Linking a cookie to an IP address is a very bad in 2015...


> On Apr 1, 2015, at 7:46 AM, Willy Tarreau <> wrote:
> ...
> I'm amazed people still do that in 2015, I had the idea to do it in 1999
> until I realized it was stupid and never did it! So I'd have guessed that
> 16 years later everyone would have also figured this! If IP addresses
> were stable during a session, cookies would not be needed, the address
> would be used instead. So it's precisely because addresses are unreliable
> that cookies exist.

Um, no.  IP addresses, by themselves, have never been useful as unique client identifiers.  NAT, DHCP, proxies, roaming, etc. all contribute to their instability.

Typically the client address will be incorporated into the session cookie value which contains a hash of a timestamp, client address, client-supplied headers (like User-Agent), server-supplied nonce value, and user ID and password (for sites with user accounts).

The main reason for incorporating client values into the session cookie hash is to (imperfectly) tie the cookie to the identity of the client (vs. the user) and (imperfectly) protect against replay attacks, particularly for HTTP connections.

From an operational standpoint, I've used this method on dozens of web sites over the years and maybe had 10 reports of problems due to NAT/proxies, over millions of visitors.  There may be some "selection bias" in that number (all of my web sites have been tech-oriented) but I don't think this is something that affects a large number of users given its continued, widespread use.

(Note: I'm not claiming that this practice is perfect or that we shouldn't try to come up with something better...)

Michael Sweet, Senior Printing System Engineer, PWG Chair

Received on Wednesday, 1 April 2015 14:53:07 UTC