Re: Linking a cookie to an IP address is a very bad in 2015... from Zhong Yu on 2015-04-02 (ietf-http-wg@w3.org from April to June 2015)

From: Zhong Yu <zhong.j.yu@gmail.com>
Date: Thu, 2 Apr 2015 11:39:54 -0500
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CACuKZqEw=v8CbOPbRxVXVNOKj_rGt_v4ENVzwaWbC8C1vw9oNQ@mail.gmail.com>

On Thu, Apr 2, 2015 at 11:19 AM, Martin Thomson
<martin.thomson@gmail.com> wrote:
> On 2 April 2015 at 09:11, Zhong Yu <zhong.j.yu@gmail.com> wrote:
>> The server can bind state to the TLS
>> session; there's no need for an HTTP cookie, if the site is HTTPS
>> only.
>
> I always recommend against that.  Connections break.

The new connection will like reuse the same TLS session[1]. The
browser is not required to do that, but from my tests,
firefox/IE/chrome on Windows apparently do.

Zhong Yu

[1] http://en.wikipedia.org/wiki/Transport_Layer_Security#Resumed_TLS_handshake

Received on Thursday, 2 April 2015 16:40:21 UTC