The cookie info should not be accessible to JavaScript if the HttpOnly flag is specified when the cookie is set... (Unless the browser is seriously broken...)
Sent from my iPad
> On Apr 2, 2015, at 2:18 AM, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote:
>
> Using User-Agent appears to me as more stable than the IP address for sure :-)
>
> And to reply to the suggestion of always using SSL (which is probably good anyway): it is not enough as cookies can be stolen from the browser itself if an attacker can inject some javascript into the browser (using the good old cross site scripting for example)
>
> -éric
>
> From: Max Bruce <max.bruce12@gmail.com>
> Date: mercredi 1 avril 2015 15:57
> To: Willy Tarreau <w@1wt.eu>
> Cc: Jim Manico <jim@manico.net>, Michael Sweet <msweet@apple.com>, Eric Vyncke <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
> Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
>
> That's a great point. What about User-Agent checking?
>
>> On Wed, Apr 1, 2015 at 12:54 PM, Willy Tarreau <w@1wt.eu> wrote:
>> On Wed, Apr 01, 2015 at 12:48:36PM -0700, Max Bruce wrote:
>> > What about linking to several? I wrote a session system for my Web Server
>> > that will only allow access to the original Session ID if the IP &
>> > User-Agent has remained unchanged, in order to protect against session
>> > hijacking. I've found it's highly effective, unless you IP Spoof.
>>
>> Sure it's highly effective. Just like it's highly effective in randomly
>> denying access to people who browse using multiple WiFi access point or
>> who switch between 3G and WiFi.
>>
>> Willy
>