Re: Linking a cookie to an IP address is a very bad in 2015...

Using User-Agent appears to me as more stable than the IP address for sure :-)

And to reply to the suggestion of always using SSL (which is probably good anyway): it is not enough as cookies can be stolen from the browser itself if an attacker can inject some javascript into the browser (using the good old cross site scripting for example)

-éric

From: Max Bruce <max.bruce12@gmail.com<mailto:max.bruce12@gmail.com>>
Date: mercredi 1 avril 2015 15:57
To: Willy Tarreau <w@1wt.eu<mailto:w@1wt.eu>>
Cc: Jim Manico <jim@manico.net<mailto:jim@manico.net>>, Michael Sweet <msweet@apple.com<mailto:msweet@apple.com>>, Eric Vyncke <evyncke@cisco.com<mailto:evyncke@cisco.com>>, "ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>" <ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>>
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...

That's a great point. What about User-Agent checking?

On Wed, Apr 1, 2015 at 12:54 PM, Willy Tarreau <w@1wt.eu<mailto:w@1wt.eu>> wrote:
On Wed, Apr 01, 2015 at 12:48:36PM -0700, Max Bruce wrote:
> What about linking to several? I wrote a session system for my Web Server
> that will only allow access to the original Session ID if the IP &
> User-Agent has remained unchanged, in order to protect against session
> hijacking. I've found it's highly effective, unless you IP Spoof.

Sure it's highly effective. Just like it's highly effective in randomly
denying access to people who browse using multiple WiFi access point or
who switch between 3G and WiFi.

Willy

Received on Thursday, 2 April 2015 06:19:39 UTC