Re: Linking a cookie to an IP address is a very bad in 2015...

"Walter H." <Walter.H@mathemainzel.info> Sat, 04 April 2015 09:54 UTC

Resent-Date: Sat, 04 Apr 2015 09:49:55 +0000
Resent-Message-Id: <E1YeKiB-0004Hg-MH@frink.w3.org>
Message-ID: <551FB3A5.503@mathemainzel.info>
Date: Sat, 04 Apr 2015 11:49:25 +0200
From: "Walter H." <Walter.H@mathemainzel.info>
Organization: Home
MIME-Version: 1.0
To: Max Bruce <max.bruce12@gmail.com>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
References: <D141A3E5.4146E%evyncke@cisco.com> <20150401114608.GA7832@1wt.eu> <04DD393C-711F-4C9E-B21C-B184B8972DFC@apple.com> <20150401150716.GA7871@1wt.eu> <25C792A9-56D0-452D-A46C-561A44E4F229@manico.net> <20150401151634.GB7871@1wt.eu> <CABb0SYQ5=5BHSH-JQ5XsCi_bQ8h5FN=WNPvAYkzy94Bm=yTVwg@mail.gmail.com> <551E3D00.5090501@mathemainzel.info> <CABb0SYQAOXRWL5TvD5H5g_4VDwLxF=6kzhmVgCSK8Pv7pq8Apw@mail.gmail.com>
In-Reply-To: <CABb0SYQAOXRWL5TvD5H5g_4VDwLxF=6kzhmVgCSK8Pv7pq8Apw@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms040802000904040808030104"
Received-SPF: pass client-ip=81.19.149.124; envelope-from=Walter.H@mathemainzel.info; helo=mx14lb.world4you.com
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/551FB3A5.503@mathemainzel.info>
Resent-From: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list

let me ask it different:  where is the Session ID, is it part of a 
http-header, part of a html-header, a session-cookie, or is it part of 
the URL itself that is requested?

the second: two ident configured hosts behind NAT do not differ neither 
in the user agent nor in the IP address; they only differ in the source 
TCP-port ...

On 03.04.2015 09:13, Max Bruce wrote:
> When you say transmitting from host to server, what do you mean?
> And yes, if I understand what your asking. It effectively compiled a 
> random hash, and then enforced an IP & user agent. I have recently 
> removed the IP enforecement though.
>
> On Fri, Apr 3, 2015 at 12:10 AM, Walter H. <Walter.H@mathemainzel.info 
> <mailto:Walter.H@mathemainzel.info>> wrote:
>
>     On 01.04.2015 21:48, Max Bruce wrote:
>>     What about linking to several? I wrote a session system for my
>>     Web Server that will only allow access to the original Session ID
>>     if the IP & User-Agent has remained unchanged, in order to
>>     protect against session hijacking. I've found it's highly
>>     effective, unless you IP Spoof.
>     what kind of mechanism do you use for transmitting the Session ID
>     from host to server?
>     does it prevent access from an ident configured but different host
>     behind a NAT?
>
>

Attachment: smime.p7s

Linking a cookie to an IP address is a very bad i… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Martin Thomson
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Martin Thomson
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Walter H.

Re: Linking a cookie to an IP address is a very bad in 2015...

Attachment: smime.p7s