Re: Linking a cookie to an IP address is a very bad in 2015...

Michael Sweet <msweet@apple.com> Wed, 01 April 2015 20:34 UTC

Resent-Date: Wed, 01 Apr 2015 20:30:51 +0000
Resent-Message-Id: <E1YdPHn-0006Km-Hf@frink.w3.org>
MIME-version: 1.0 (Mac OS X Mail 8.2 \(2095\))
Content-type: text/plain; charset="us-ascii"
From: Michael Sweet <msweet@apple.com>
In-reply-to: <20150401200935.GA8035@1wt.eu>
Date: Wed, 01 Apr 2015 16:30:15 -0400
Cc: Max Bruce <max.bruce12@gmail.com>, Jim Manico <jim@manico.net>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-transfer-encoding: quoted-printable
Message-id: <4F7C5C07-9A6B-4424-BD7A-89790A34651A@apple.com>
References: <D141A3E5.4146E%evyncke@cisco.com> <20150401114608.GA7832@1wt.eu> <04DD393C-711F-4C9E-B21C-B184B8972DFC@apple.com> <20150401150716.GA7871@1wt.eu> <25C792A9-56D0-452D-A46C-561A44E4F229@manico.net> <20150401151634.GB7871@1wt.eu> <CABb0SYQ5=5BHSH-JQ5XsCi_bQ8h5FN=WNPvAYkzy94Bm=yTVwg@mail.gmail.com> <20150401195439.GC8021@1wt.eu> <CABb0SYTpk+rOB_1m5x5ahH1jDv30Ypx7Bu-k86wStg5mmO0R3w@mail.gmail.com> <20150401200935.GA8035@1wt.eu>
To: Willy Tarreau <w@1wt.eu>
Received-SPF: pass client-ip=17.151.62.28; envelope-from=msweet@apple.com; helo=mail-in6.apple.com
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/4F7C5C07-9A6B-4424-BD7A-89790A34651A@apple.com>
Resent-From: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list

Willy,

> On Apr 1, 2015, at 4:09 PM, Willy Tarreau <w@1wt.eu> wrote:
> 
> On Wed, Apr 01, 2015 at 12:57:56PM -0700, Max Bruce wrote:
>> That's a great point. What about User-Agent checking?
> 
> Yes, that's what Michael mentionned as well. I *believe* that some
> UAs send different values when a plugin performs a request, but I'm
> not 100% certain. That's clearly something to check for those who
> want to do this though.
> 
> I find it fun to see people scared about cookie stealing at an era
> where some others are pushing hard for TLS everywhere. Either one
> is a problem of the past, or the other is ineffective against info
> leak :-)

MiTM attacks/proxies can cause cookies "protected" by TLS to be exposed, but at that point the client IP validation is probably also defeated.  Javascript-based attacks are also possible, assuming you haven't set HttpOnly on the session cookie, but again those will come from the same IP so the validation is ineffective.

Probably the "right" answer is to always use TLS, never use the client IP or other request headers when constructing or validating the session ID, limit the amount of time a session ID is valid, and make sure your session IDs cannot be easily guessed.  (Which is pretty much what the OWASP cheat sheet says, minus the IP validation stuff...)

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

Linking a cookie to an IP address is a very bad i… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Martin Thomson
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Martin Thomson
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Walter H.