Re: Linking a cookie to an IP address is a very bad in 2015... from Max Bruce on 2015-04-01 (ietf-http-wg@w3.org from April to June 2015)

From: Max Bruce <max.bruce12@gmail.com>
Date: Wed, 1 Apr 2015 12:48:36 -0700
To: Willy Tarreau <w@1wt.eu>
Cc: Jim Manico <jim@manico.net>, Michael Sweet <msweet@apple.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CABb0SYQ5=5BHSH-JQ5XsCi_bQ8h5FN=WNPvAYkzy94Bm=yTVwg@mail.gmail.com>

What about linking to several? I wrote a session system for my Web Server
that will only allow access to the original Session ID if the IP &
User-Agent has remained unchanged, in order to protect against session
hijacking. I've found it's highly effective, unless you IP Spoof.

On Wed, Apr 1, 2015 at 8:16 AM, Willy Tarreau <w@1wt.eu> wrote:

> On Wed, Apr 01, 2015 at 08:14:06AM -0700, Jim Manico wrote:
> > I think using the IP address for these purposes is fantastic - in
> intranet
> > environments where IP per user is static. :)
>
> That was my initial goal in 1999 until I realized that some clients were
> using DHCP and that it would not even work outside due to the so called
> "AOL effect" by then.
>
> Willy
>
>
>

Received on Wednesday, 1 April 2015 19:49:05 UTC