Re: Linking a cookie to an IP address is a very bad in 2015...

The cookie info should not be accessible to JavaScript if the HttpOnly flag is specified when the cookie is set... (Unless the browser is seriously broken...)

Sent from my iPad

> On Apr 2, 2015, at 2:18 AM, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote:
> 
> Using User-Agent appears to me as more stable than the IP address for sure :-)
> 
> And to reply to the suggestion of always using SSL (which is probably good anyway): it is not enough as cookies can be stolen from the browser itself if an attacker can inject some javascript into the browser (using the good old cross site scripting for example)
> 
> -éric
> 
> From: Max Bruce <max.bruce12@gmail.com>
> Date: mercredi 1 avril 2015 15:57
> To: Willy Tarreau <w@1wt.eu>
> Cc: Jim Manico <jim@manico.net>, Michael Sweet <msweet@apple.com>, Eric Vyncke <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
> Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
> 
> That's a great point. What about User-Agent checking?
> 
>> On Wed, Apr 1, 2015 at 12:54 PM, Willy Tarreau <w@1wt.eu> wrote:
>> On Wed, Apr 01, 2015 at 12:48:36PM -0700, Max Bruce wrote:
>> > What about linking to several? I wrote a session system for my Web Server
>> > that will only allow access to the original Session ID if the IP &
>> > User-Agent has remained unchanged, in order to protect against session
>> > hijacking. I've found it's highly effective, unless you IP Spoof.
>> 
>> Sure it's highly effective. Just like it's highly effective in randomly
>> denying access to people who browse using multiple WiFi access point or
>> who switch between 3G and WiFi.
>> 
>> Willy
> 

Received on Thursday, 2 April 2015 10:46:45 UTC