Re: Linking a cookie to an IP address is a very bad in 2015... from Jim Manico on 2015-04-04 (ietf-http-wg@w3.org from April to June 2015)

From: Jim Manico <jim@manico.net>
Date: Sat, 4 Apr 2015 14:02:11 -0700
To: Max Bruce <max.bruce12@gmail.com>
Cc: "Walter H." <Walter.H@mathemainzel.info>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <5BEA09A4-3374-4CAA-8D43-D51645CFDC6F@manico.net>

It's not •likely• to be an issue for short lived sessions but it could happen.

--
Jim Manico
@Manicode
(808) 652-3805

> On Apr 4, 2015, at 1:47 PM, Max Bruce <max.bruce12@gmail.com> wrote:
> 
> That isn't an issue for a session that's supposed to end 5 minutes or so after it begins.
> 
>> On Sat, Apr 4, 2015 at 9:12 AM, Jim Manico <jim@manico.net> wrote:
>> In the world of auto-updating browsers and therefor auto-updating user-agents, tying authentication to a user agent could have unintended negative consequences.
>> 
>> Tying authN to an IP address also has negative unintended consequences, like being on a mobile network while traveling, or being behind certain gateways - your IP address may change in short timespans. 
>> 
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>> 
>>> On Apr 4, 2015, at 3:18 AM, Max Bruce <max.bruce12@gmail.com> wrote:
>>> 
>>> The session ID is a cookie, so in the headers. And yes, because it also checks that cookie, which is randomly generated. It just enforces a user-agent server-side. It DID enforce an IP, but I removed this for other reasons discussed earlier.
>>> 
>>>> On Sat, Apr 4, 2015 at 2:49 AM, Walter H. <Walter.H@mathemainzel.info> wrote:
>>>> let me ask it different:  where is the Session ID, is it part of a http-header, part of a html-header, a session-cookie, or is it part of the URL itself that is requested?
>>>> 
>>>> the second: two ident configured hosts behind NAT do not differ neither in the user agent nor in the IP address; they only differ in the source TCP-port ...
>>>> 
>>>>> On 03.04.2015 09:13, Max Bruce wrote:
>>>>> When you say transmitting from host to server, what do you mean?
>>>>> And yes, if I understand what your asking. It effectively compiled a random hash, and then enforced an IP & user agent. I have recently removed the IP enforecement though.
>>>>> 
>>>>> On Fri, Apr 3, 2015 at 12:10 AM, Walter H. <Walter.H@mathemainzel.info> wrote:
>>>>>> On 01.04.2015 21:48, Max Bruce wrote:
>>>>>> What about linking to several? I wrote a session system for my Web Server that will only allow access to the original Session ID if the IP & User-Agent has remained unchanged, in order to protect against session hijacking. I've found it's highly effective, unless you IP Spoof.
>>>>> what kind of mechanism do you use for transmitting the Session ID from host to server?
>>>>> does it prevent access from an ident configured but different host behind a NAT?
>

Received on Saturday, 4 April 2015 21:02:41 UTC