- From: Zhong Yu <zhong.j.yu@gmail.com>
- Date: Thu, 2 Apr 2015 11:11:19 -0500
- To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
A TLS session is a pretty good alternative. Within one browser session, different HTTPS connections to the same server will likely share the same TLS session. The server can bind state to the TLS session; there's no need for an HTTP cookie, if the site is HTTPS only. Zhong Yu bayou.io On Wed, Apr 1, 2015 at 6:32 AM, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote: > In the era of scarce IPv4 addresses, servers should NOT link the HTTP > session cookies to the user-agent IP address... > > I have posted in the IETF V6OPS WG the following: > http://www.ietf.org/proceedings/92/slides/slides-92-v6ops-6.pdf > https://tools.ietf.org/html/draft-vyncke-v6ops-happy-eyeballs-cookie > > In short, heavy use of NAT and/or dual-stack (IPv4/IPv6) can cause a change > of user-agent address => lost of session. > > Any suggestion on how this can be addressed? I know at least two major web > sites in Belgium that removed IPv6 from their web site due to this issue > (and their security department not wanting to unlink IP address from the > session cookies) > > Comments are welcome > > -éric >
Received on Thursday, 2 April 2015 16:11:47 UTC