- From: Michael Sweet <msweet@apple.com>
- Date: Thu, 02 Apr 2015 12:59:48 -0400
- To: Zhong Yu <zhong.j.yu@gmail.com>
- Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
HTTPS does not guarantee that the connection stays up forever or that there is only one connection, particularly for HTTP/1.1 but even for HTTP/2 it isn't a "safe" assumption. > On Apr 2, 2015, at 12:11 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote: > > A TLS session is a pretty good alternative. Within one browser > session, different HTTPS connections to the same server will likely > share the same TLS session. The server can bind state to the TLS > session; there's no need for an HTTP cookie, if the site is HTTPS > only. > > Zhong Yu > bayou.io > > > > On Wed, Apr 1, 2015 at 6:32 AM, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote: >> In the era of scarce IPv4 addresses, servers should NOT link the HTTP >> session cookies to the user-agent IP address... >> >> I have posted in the IETF V6OPS WG the following: >> http://www.ietf.org/proceedings/92/slides/slides-92-v6ops-6.pdf >> https://tools.ietf.org/html/draft-vyncke-v6ops-happy-eyeballs-cookie >> >> In short, heavy use of NAT and/or dual-stack (IPv4/IPv6) can cause a change >> of user-agent address => lost of session. >> >> Any suggestion on how this can be addressed? I know at least two major web >> sites in Belgium that removed IPv6 from their web site due to this issue >> (and their security department not wanting to unlink IP address from the >> session cookies) >> >> Comments are welcome >> >> -éric >> > _________________________________________________________ Michael Sweet, Senior Printing System Engineer, PWG Chair
Received on Thursday, 2 April 2015 17:00:20 UTC