IETF Logo Mail Archive

Re: Linking a cookie to an IP address is a very bad in 2015...

Jim Manico <jim@manico.net> Thu, 02 April 2015 17:12 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A06391ACEE8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 Apr 2015 10:12:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XhWXFBbp3_-T for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 Apr 2015 10:12:01 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28CA61ACEDC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 2 Apr 2015 10:12:01 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Ydicz-0000ha-Um for ietf-http-wg-dist@listhub.w3.org; Thu, 02 Apr 2015 17:10:01 +0000
Resent-Date: Thu, 02 Apr 2015 17:10:01 +0000
Resent-Message-Id: <E1Ydicz-0000ha-Um@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <jim@manico.net>) id 1Ydicx-0000V5-DA for ietf-http-wg@listhub.w3.org; Thu, 02 Apr 2015 17:09:59 +0000
Received: from mail-pd0-f180.google.com ([209.85.192.180]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <jim@manico.net>) id 1Ydicm-0000zI-2v for ietf-http-wg@w3.org; Thu, 02 Apr 2015 17:09:59 +0000
Received: by pdea3 with SMTP id a3so43842820pde.3 for <ietf-http-wg@w3.org>; Thu, 02 Apr 2015 10:09:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=jG2wVwtSJ//Olz8P+o0Kd8qgwU98ZoJaanebEnVkJLc=; b=XgnwpzbWnJUviNqgG4Lt71ukF5Ni8oKqtUmy4T/2DE/Q3E0aRl59Eg40ROK2v78m8u J/sm9f5bELXQzFCOWW+BblKQClpbGyZEX9580rbGEPzMAiCjS9Nx8ToUNRJ62oSDhIBh 0IXomoYvtJGSL23XyYnKb61vdZ+qdzKxWqKLiKehWPDFv7bLuyVztR7TYv8N6EgwR4UD xiPi7/bjNZBXD8lMFeEwiq9LiNqdffHSrBaD4ukO2HhqdEAFPnNMWkca0v4UwtplSQSH wQWEREZDwaLBMxhOYEnTcZNUvTuNmXd+susCiLZn8kv0J7sv8zFS0Grs/224Zt/6lMAo fplQ==
X-Gm-Message-State: ALoCoQk38Mr+iDTTHSTAdLm36HX3Q8MMHxsexv41Oajgu9sGMw8Yt5zXHZkG4JeEeQgyB0r0x8iC
X-Received: by 10.70.55.99 with SMTP id r3mr52951496pdp.10.1427994561711; Thu, 02 Apr 2015 10:09:21 -0700 (PDT)
Received: from [10.109.163.223] (mobile-166-171-250-075.mycingular.net. [166.171.250.75]) by mx.google.com with ESMTPSA id vh2sm5745873pbc.49.2015.04.02.10.09.20 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 02 Apr 2015 10:09:21 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Jim Manico <jim@manico.net>
X-Mailer: iPhone Mail (12D508)
In-Reply-To: <CACuKZqEisJgEcLq-fNfYNk8xpe8x1YzQQjTkniYK+J2tgBO0+g@mail.gmail.com>
Date: Thu, 02 Apr 2015 10:09:19 -0700
Cc: Martin Thomson <martin.thomson@gmail.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8809D993-A6CB-4960-82FF-20DE2C3181A2@manico.net>
References: <D141A3E5.4146E%evyncke@cisco.com> <CACuKZqHDru45jcZiDt91gVtrTZZqJJ2XaK6k0XVKK0R4nCciFg@mail.gmail.com> <CABkgnnXF72bcAF7STJTwi8c-WmBNWx4GppvW=1HKX7cNX6jWcg@mail.gmail.com> <CACuKZqEw=v8CbOPbRxVXVNOKj_rGt_v4ENVzwaWbC8C1vw9oNQ@mail.gmail.com> <CABkgnnUtb-SAE5yqZhHn-ZqsQW1uC4pCLRs4k4+JQjwTN1H09w@mail.gmail.com> <CACuKZqEisJgEcLq-fNfYNk8xpe8x1YzQQjTkniYK+J2tgBO0+g@mail.gmail.com>
To: Zhong Yu <zhong.j.yu@gmail.com>
Received-SPF: none client-ip=209.85.192.180; envelope-from=jim@manico.net; helo=mail-pd0-f180.google.com
X-W3C-Hub-Spam-Status: No, score=-2.7
X-W3C-Hub-Spam-Report: MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1Ydicm-0000zI-2v 7b5eec3cb0b12c296010ab0463cfff19
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/8809D993-A6CB-4960-82FF-20DE2C3181A2@manico.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29225
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Embedding session data in a fat cookie is actually •very• common in stateless REST architectures. Encrypt and sign those cookies as well.

--
Jim Manico
@Manicode
(808) 652-3805

> On Apr 2, 2015, at 9:51 AM, Zhong Yu <zhong.j.yu@gmail.com> wrote:
> 
> On Thu, Apr 2, 2015 at 11:47 AM, Martin Thomson
> <martin.thomson@gmail.com> wrote:
>> On 2 April 2015 at 09:39, Zhong Yu <zhong.j.yu@gmail.com> wrote:
>>> The new connection will like reuse the same TLS session[1]. The
>>> browser is not required to do that, but from my tests,
>>> firefox/IE/chrome on Windows apparently do.
>> 
>> Only if you hit the same server in the cluster, or the cluster has
>> shared resumption AND session state.
> 
> But a session-id cookie will have the same problems.
> 
> We could embed all session data in a fat cookie, but I don't think
> that's a common practice.
> 
>> HTTP is a message-based
>> protocol, binding state to a connection has to be regarded as an
>> optimization only.
>

v2.46.0 | Report a Bug | By Email | System Status