Re: Linking a cookie to an IP address is a very bad in 2015... from Eric Vyncke (evyncke) on 2015-04-04 (ietf-http-wg@w3.org from April to June 2015)

From: Eric Vyncke (evyncke) <evyncke@cisco.com>
Date: Sat, 4 Apr 2015 10:26:09 +0000
To: "Walter H." <Walter.H@mathemainzel.info>, Max Bruce <max.bruce12@gmail.com>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <D145888A.41A99%evyncke@cisco.com>

Walter,

The session-ID can be in a session cookie (preferred) but also in the URL (which is of course not really secure).

Two hosts behind a NAT _may_ share the same IP address (usually there is a pool of IP addresses) and the TCP port keeps changing... No real way to point to one specific user-agent

Also, the I-D refers to another problem when the user-agent keeps changing of IP address ;-)

From: "Walter H." <Walter.H@mathemainzel.info<mailto:Walter.H@mathemainzel.info>>
Organization: Home
Date: samedi 4 avril 2015 11:49
To: Max Bruce <max.bruce12@gmail.com<mailto:max.bruce12@gmail.com>>
Cc: "ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>" <ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>>
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Resent-From: <ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>>
Resent-Date: Sat, 4 Apr 2015 09:49:55 +0000

let me ask it different:  where is the Session ID, is it part of a http-header, part of a html-header, a session-cookie, or is it part of the URL itself that is requested?

the second: two ident configured hosts behind NAT do not differ neither in the user agent nor in the IP address; they only differ in the source TCP-port ...

On 03.04.2015 09:13, Max Bruce wrote:
When you say transmitting from host to server, what do you mean?
And yes, if I understand what your asking. It effectively compiled a random hash, and then enforced an IP & user agent. I have recently removed the IP enforecement though.

On Fri, Apr 3, 2015 at 12:10 AM, Walter H. <Walter.H@mathemainzel.info<mailto:Walter.H@mathemainzel.info>> wrote:
On 01.04.2015 21:48, Max Bruce wrote:
What about linking to several? I wrote a session system for my Web Server that will only allow access to the original Session ID if the IP & User-Agent has remained unchanged, in order to protect against session hijacking. I've found it's highly effective, unless you IP Spoof.
what kind of mechanism do you use for transmitting the Session ID from host to server?
does it prevent access from an ident configured but different host behind a NAT?

Received on Saturday, 4 April 2015 10:27:08 UTC