The cookie info should not be accessible to JavaScript if the HttpOnly flag is specified when the cookie is set... (Unless the browser is seriously broken...) Sent from my iPad > On Apr 2, 2015, at 2:18 AM, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote: > > Using User-Agent appears to me as more stable than the IP address for sure :-) > > And to reply to the suggestion of always using SSL (which is probably good anyway): it is not enough as cookies can be stolen from the browser itself if an attacker can inject some javascript into the browser (using the good old cross site scripting for example) > > -éric > > From: Max Bruce <max.bruce12@gmail.com> > Date: mercredi 1 avril 2015 15:57 > To: Willy Tarreau <w@1wt.eu> > Cc: Jim Manico <jim@manico.net>, Michael Sweet <msweet@apple.com>, Eric Vyncke <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org> > Subject: Re: Linking a cookie to an IP address is a very bad in 2015... > > That's a great point. What about User-Agent checking? > >> On Wed, Apr 1, 2015 at 12:54 PM, Willy Tarreau <w@1wt.eu> wrote: >> On Wed, Apr 01, 2015 at 12:48:36PM -0700, Max Bruce wrote: >> > What about linking to several? I wrote a session system for my Web Server >> > that will only allow access to the original Session ID if the IP & >> > User-Agent has remained unchanged, in order to protect against session >> > hijacking. I've found it's highly effective, unless you IP Spoof. >> >> Sure it's highly effective. Just like it's highly effective in randomly >> denying access to people who browse using multiple WiFi access point or >> who switch between 3G and WiFi. >> >> Willy >
Received on Thursday, 2 April 2015 10:46:45 UTC