Re: Linking a cookie to an IP address is a very bad in 2015... from Jim Manico on 2015-04-02 (ietf-http-wg@w3.org from April to June 2015)

From: Jim Manico <jim@manico.net>
Date: Thu, 2 Apr 2015 10:07:52 -0700
To: Zhong Yu <zhong.j.yu@gmail.com>
Cc: Michael Sweet <msweet@apple.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, Max Bruce <max.bruce12@gmail.com>, Willy Tarreau <w@1wt.eu>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <CA54A637-53F9-4250-B50B-1A158A94C46B@manico.net>

It effectively stops JS from reading a cookie. All browsers support it well today. Use is, it does no harm.

--
Jim Manico
@Manicode
(808) 652-3805

> On Apr 2, 2015, at 9:18 AM, Zhong Yu <zhong.j.yu@gmail.com> wrote:
> 
> The HttpOnly flag is ... interesting. If a page contains injected
> scripts, game over, the attacker can do anything as the authorized
> user. The HttpOnly flag is like, you are walking in a thunderstorm?
> here, wear this tinfoil hat.
> 
> Zhong Yu
> bayou.io
> 
> 
>> On Thu, Apr 2, 2015 at 5:46 AM, Michael Sweet <msweet@apple.com> wrote:
>> The cookie info should not be accessible to JavaScript if the HttpOnly flag
>> is specified when the cookie is set... (Unless the browser is seriously
>> broken...)
>> 
>> Sent from my iPad
>> 
>> On Apr 2, 2015, at 2:18 AM, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote:
>> 
>> Using User-Agent appears to me as more stable than the IP address for sure
>> :-)
>> 
>> And to reply to the suggestion of always using SSL (which is probably good
>> anyway): it is not enough as cookies can be stolen from the browser itself
>> if an attacker can inject some javascript into the browser (using the good
>> old cross site scripting for example)
>> 
>> -éric
>> 
>> From: Max Bruce <max.bruce12@gmail.com>
>> Date: mercredi 1 avril 2015 15:57
>> To: Willy Tarreau <w@1wt.eu>
>> Cc: Jim Manico <jim@manico.net>, Michael Sweet <msweet@apple.com>, Eric
>> Vyncke <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
>> Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
>> 
>> That's a great point. What about User-Agent checking?
>> 
>>> On Wed, Apr 1, 2015 at 12:54 PM, Willy Tarreau <w@1wt.eu> wrote:
>>> 
>>>> On Wed, Apr 01, 2015 at 12:48:36PM -0700, Max Bruce wrote:
>>>> What about linking to several? I wrote a session system for my Web
>>>> Server
>>>> that will only allow access to the original Session ID if the IP &
>>>> User-Agent has remained unchanged, in order to protect against session
>>>> hijacking. I've found it's highly effective, unless you IP Spoof.
>>> 
>>> Sure it's highly effective. Just like it's highly effective in randomly
>>> denying access to people who browse using multiple WiFi access point or
>>> who switch between 3G and WiFi.
>>> 
>>> Willy
>>

Received on Thursday, 2 April 2015 17:08:22 UTC