Re: Linking a cookie to an IP address is a very bad in 2015... from Zhong Yu on 2015-04-02 (ietf-http-wg@w3.org from April to June 2015)

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Thu, 2 Apr 2015 11:18:30 -0500
To: Michael Sweet <msweet@apple.com>
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, Max Bruce <max.bruce12@gmail.com>, Willy Tarreau <w@1wt.eu>, Jim Manico <jim@manico.net>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CACuKZqFybQiGmwafArSFhtojYd1X=Pq++Dmm7V5dtaM_2qJnmg@mail.gmail.com>

The HttpOnly flag is ... interesting. If a page contains injected
scripts, game over, the attacker can do anything as the authorized
user. The HttpOnly flag is like, you are walking in a thunderstorm?
here, wear this tinfoil hat.

Zhong Yu
bayou.io


On Thu, Apr 2, 2015 at 5:46 AM, Michael Sweet <msweet@apple.com> wrote:
> The cookie info should not be accessible to JavaScript if the HttpOnly flag
> is specified when the cookie is set... (Unless the browser is seriously
> broken...)
>
> Sent from my iPad
>
> On Apr 2, 2015, at 2:18 AM, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote:
>
> Using User-Agent appears to me as more stable than the IP address for sure
> :-)
>
> And to reply to the suggestion of always using SSL (which is probably good
> anyway): it is not enough as cookies can be stolen from the browser itself
> if an attacker can inject some javascript into the browser (using the good
> old cross site scripting for example)
>
> -éric
>
> From: Max Bruce <max.bruce12@gmail.com>
> Date: mercredi 1 avril 2015 15:57
> To: Willy Tarreau <w@1wt.eu>
> Cc: Jim Manico <jim@manico.net>, Michael Sweet <msweet@apple.com>, Eric
> Vyncke <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
> Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
>
> That's a great point. What about User-Agent checking?
>
> On Wed, Apr 1, 2015 at 12:54 PM, Willy Tarreau <w@1wt.eu> wrote:
>>
>> On Wed, Apr 01, 2015 at 12:48:36PM -0700, Max Bruce wrote:
>> > What about linking to several? I wrote a session system for my Web
>> > Server
>> > that will only allow access to the original Session ID if the IP &
>> > User-Agent has remained unchanged, in order to protect against session
>> > hijacking. I've found it's highly effective, unless you IP Spoof.
>>
>> Sure it's highly effective. Just like it's highly effective in randomly
>> denying access to people who browse using multiple WiFi access point or
>> who switch between 3G and WiFi.
>>
>> Willy
>>
>

Received on Thursday, 2 April 2015 16:18:58 UTC