Re: Linking a cookie to an IP address is a very bad in 2015...

Willy,

> On Apr 1, 2015, at 4:09 PM, Willy Tarreau <w@1wt.eu> wrote:
> 
> On Wed, Apr 01, 2015 at 12:57:56PM -0700, Max Bruce wrote:
>> That's a great point. What about User-Agent checking?
> 
> Yes, that's what Michael mentionned as well. I *believe* that some
> UAs send different values when a plugin performs a request, but I'm
> not 100% certain. That's clearly something to check for those who
> want to do this though.
> 
> I find it fun to see people scared about cookie stealing at an era
> where some others are pushing hard for TLS everywhere. Either one
> is a problem of the past, or the other is ineffective against info
> leak :-)

MiTM attacks/proxies can cause cookies "protected" by TLS to be exposed, but at that point the client IP validation is probably also defeated.  Javascript-based attacks are also possible, assuming you haven't set HttpOnly on the session cookie, but again those will come from the same IP so the validation is ineffective.

Probably the "right" answer is to always use TLS, never use the client IP or other request headers when constructing or validating the session ID, limit the amount of time a session ID is valid, and make sure your session IDs cannot be easily guessed.  (Which is pretty much what the OWASP cheat sheet says, minus the IP validation stuff...)

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

Received on Wednesday, 1 April 2015 20:30:47 UTC