IETF Logo Mail Archive

Re: Linking a cookie to an IP address is a very bad in 2015...

Jim Manico <jim@manico.net> Thu, 02 April 2015 17:11 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB0C91ACEDC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 Apr 2015 10:11:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.312
X-Spam-Level:
X-Spam-Status: No, score=-6.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_52=0.6, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ixkXr3JTv35v for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 Apr 2015 10:11:35 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EAD91ACEE8 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 2 Apr 2015 10:11:35 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YdibR-0000Jk-G5 for ietf-http-wg-dist@listhub.w3.org; Thu, 02 Apr 2015 17:08:25 +0000
Resent-Date: Thu, 02 Apr 2015 17:08:25 +0000
Resent-Message-Id: <E1YdibR-0000Jk-G5@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <jim@manico.net>) id 1YdibO-0000Iy-LS for ietf-http-wg@listhub.w3.org; Thu, 02 Apr 2015 17:08:22 +0000
Received: from mail-pd0-f177.google.com ([209.85.192.177]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <jim@manico.net>) id 1YdibN-0000wc-NS for ietf-http-wg@w3.org; Thu, 02 Apr 2015 17:08:22 +0000
Received: by pddn5 with SMTP id n5so95145120pdd.2 for <ietf-http-wg@w3.org>; Thu, 02 Apr 2015 10:07:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=+SsmnrSWhbNlTbxuEbloT0LcHu2ewI4LpZL9i8nXzYw=; b=NXDng09m/8Lp7ICRteFKuo5GShSLD1llKZ/PDeh7BBqvKFjK/rk+K5GqUHKh9nXKxP 1CosBT2JGresDM2pHs/8cMV87uq3S8Bciwe4xicgJ4J8OmWBez9SsbOCwDKTKIt3zwg1 /GyXavbIa9JIB1I+fnbXsjzQ8LvHGdhm26gOWLRF9IqioBBdt4+xvItt/TkhZku7p8YQ P4M4BZFBzTPFdgJlNqF5yzsqJlODHoI5jdkDUgmfXg1c8crxlYc7N+VK6fu9V77gmPdB gMmb7lDF2pPtd+BN893C1pSuNjefBd28UdSFJo12H/2cgjoRu+EG7s0TsWgna9tldFyv Gf5A==
X-Gm-Message-State: ALoCoQnjVQiB7Z9NqWcRlYND0SYcDiCqt3IrvjyizlKiky3z89D3QEzfcM01QtHFk5VSCe+1aKqc
X-Received: by 10.66.137.2 with SMTP id qe2mr16229336pab.77.1427994475445; Thu, 02 Apr 2015 10:07:55 -0700 (PDT)
Received: from [10.109.163.223] (mobile-166-171-250-075.mycingular.net. [166.171.250.75]) by mx.google.com with ESMTPSA id j1sm5758283pdj.94.2015.04.02.10.07.53 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 02 Apr 2015 10:07:53 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Jim Manico <jim@manico.net>
X-Mailer: iPhone Mail (12D508)
In-Reply-To: <CACuKZqFybQiGmwafArSFhtojYd1X=Pq++Dmm7V5dtaM_2qJnmg@mail.gmail.com>
Date: Thu, 02 Apr 2015 10:07:52 -0700
Cc: Michael Sweet <msweet@apple.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, Max Bruce <max.bruce12@gmail.com>, Willy Tarreau <w@1wt.eu>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CA54A637-53F9-4250-B50B-1A158A94C46B@manico.net>
References: <D141A3E5.4146E%evyncke@cisco.com> <20150401114608.GA7832@1wt.eu> <04DD393C-711F-4C9E-B21C-B184B8972DFC@apple.com> <20150401150716.GA7871@1wt.eu> <25C792A9-56D0-452D-A46C-561A44E4F229@manico.net> <20150401151634.GB7871@1wt.eu> <CABb0SYQ5=5BHSH-JQ5XsCi_bQ8h5FN=WNPvAYkzy94Bm=yTVwg@mail.gmail.com> <20150401195439.GC8021@1wt.eu> <CABb0SYTpk+rOB_1m5x5ahH1jDv30Ypx7Bu-k86wStg5mmO0R3w@mail.gmail.com> <D142AB83.41725%evyncke@cisco.com> <33D4BE4E-97DE-4F64-9CB3-53AF516960C6@apple.com> <CACuKZqFybQiGmwafArSFhtojYd1X=Pq++Dmm7V5dtaM_2qJnmg@mail.gmail.com>
To: Zhong Yu <zhong.j.yu@gmail.com>
Received-SPF: none client-ip=209.85.192.177; envelope-from=jim@manico.net; helo=mail-pd0-f177.google.com
X-W3C-Hub-Spam-Status: No, score=-2.7
X-W3C-Hub-Spam-Report: MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1YdibN-0000wc-NS 1063752b857d2df668c317de6722c1f8
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/CA54A637-53F9-4250-B50B-1A158A94C46B@manico.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29224
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

It effectively stops JS from reading a cookie. All browsers support it well today. Use is, it does no harm.

--
Jim Manico
@Manicode
(808) 652-3805

> On Apr 2, 2015, at 9:18 AM, Zhong Yu <zhong.j.yu@gmail.com> wrote:
> 
> The HttpOnly flag is ... interesting. If a page contains injected
> scripts, game over, the attacker can do anything as the authorized
> user. The HttpOnly flag is like, you are walking in a thunderstorm?
> here, wear this tinfoil hat.
> 
> Zhong Yu
> bayou.io
> 
> 
>> On Thu, Apr 2, 2015 at 5:46 AM, Michael Sweet <msweet@apple.com> wrote:
>> The cookie info should not be accessible to JavaScript if the HttpOnly flag
>> is specified when the cookie is set... (Unless the browser is seriously
>> broken...)
>> 
>> Sent from my iPad
>> 
>> On Apr 2, 2015, at 2:18 AM, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote:
>> 
>> Using User-Agent appears to me as more stable than the IP address for sure
>> :-)
>> 
>> And to reply to the suggestion of always using SSL (which is probably good
>> anyway): it is not enough as cookies can be stolen from the browser itself
>> if an attacker can inject some javascript into the browser (using the good
>> old cross site scripting for example)
>> 
>> -éric
>> 
>> From: Max Bruce <max.bruce12@gmail.com>
>> Date: mercredi 1 avril 2015 15:57
>> To: Willy Tarreau <w@1wt.eu>
>> Cc: Jim Manico <jim@manico.net>, Michael Sweet <msweet@apple.com>, Eric
>> Vyncke <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
>> Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
>> 
>> That's a great point. What about User-Agent checking?
>> 
>>> On Wed, Apr 1, 2015 at 12:54 PM, Willy Tarreau <w@1wt.eu> wrote:
>>> 
>>>> On Wed, Apr 01, 2015 at 12:48:36PM -0700, Max Bruce wrote:
>>>> What about linking to several? I wrote a session system for my Web
>>>> Server
>>>> that will only allow access to the original Session ID if the IP &
>>>> User-Agent has remained unchanged, in order to protect against session
>>>> hijacking. I've found it's highly effective, unless you IP Spoof.
>>> 
>>> Sure it's highly effective. Just like it's highly effective in randomly
>>> denying access to people who browse using multiple WiFi access point or
>>> who switch between 3G and WiFi.
>>> 
>>> Willy
>>

v2.46.0 | Report a Bug | By Email | System Status