Re: Linking a cookie to an IP address is a very bad in 2015...

Michael Sweet <msweet@apple.com> Thu, 02 April 2015 17:03 UTC

Resent-Date: Thu, 02 Apr 2015 17:00:23 +0000
Resent-Message-Id: <E1YdiTf-0005sA-RN@frink.w3.org>
MIME-version: 1.0 (Mac OS X Mail 8.2 \(2095\))
Content-type: text/plain; charset="utf-8"
From: Michael Sweet <msweet@apple.com>
In-reply-to: <CACuKZqHDru45jcZiDt91gVtrTZZqJJ2XaK6k0XVKK0R4nCciFg@mail.gmail.com>
Date: Thu, 02 Apr 2015 12:59:48 -0400
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-transfer-encoding: quoted-printable
Message-id: <9883E896-F9B0-4E16-ADF5-B0B1893058C8@apple.com>
References: <D141A3E5.4146E%evyncke@cisco.com> <CACuKZqHDru45jcZiDt91gVtrTZZqJJ2XaK6k0XVKK0R4nCciFg@mail.gmail.com>
To: Zhong Yu <zhong.j.yu@gmail.com>
Received-SPF: pass client-ip=17.151.62.27; envelope-from=msweet@apple.com; helo=mail-in5.apple.com
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/9883E896-F9B0-4E16-ADF5-B0B1893058C8@apple.com>
Resent-From: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list

HTTPS does not guarantee that the connection stays up forever or that there is only one connection, particularly for HTTP/1.1 but even for HTTP/2 it isn't a "safe" assumption.


> On Apr 2, 2015, at 12:11 PM, Zhong Yu <zhong.j.yu@gmail.com> wrote:
> 
> A TLS session is a pretty good alternative. Within one browser
> session, different HTTPS connections to the same server will likely
> share the same TLS session. The server can bind state to the TLS
> session; there's no need for an HTTP cookie, if the site is HTTPS
> only.
> 
> Zhong Yu
> bayou.io
> 
> 
> 
> On Wed, Apr 1, 2015 at 6:32 AM, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote:
>> In the era of scarce IPv4 addresses, servers should NOT link the HTTP
>> session cookies to the user-agent IP address...
>> 
>> I have posted in the IETF V6OPS WG the following:
>> http://www.ietf.org/proceedings/92/slides/slides-92-v6ops-6.pdf
>> https://tools.ietf.org/html/draft-vyncke-v6ops-happy-eyeballs-cookie
>> 
>> In short, heavy use of NAT and/or dual-stack (IPv4/IPv6) can cause a change
>> of user-agent address => lost of session.
>> 
>> Any suggestion on how this can be addressed? I know at least two major web
>> sites in Belgium that removed IPv6 from their web site due to this issue
>> (and their security department not wanting to unlink IP address from the
>> session cookies)
>> 
>> Comments are welcome
>> 
>> -éric
>> 
> 

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

Linking a cookie to an IP address is a very bad i… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Martin Thomson
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Martin Thomson
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Walter H.