IETF Logo Mail Archive

Linking a cookie to an IP address is a very bad in 2015...

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Wed, 01 April 2015 11:37 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2622E1A87C0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 1 Apr 2015 04:37:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XQ-cz2yAnxVT for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 1 Apr 2015 04:36:59 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E9AB1A6FCB for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 1 Apr 2015 04:36:59 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YdGtG-00070i-7M for ietf-http-wg-dist@listhub.w3.org; Wed, 01 Apr 2015 11:32:58 +0000
Resent-Date: Wed, 01 Apr 2015 11:32:58 +0000
Resent-Message-Id: <E1YdGtG-00070i-7M@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <evyncke@cisco.com>) id 1YdGtA-0006zx-Hj for ietf-http-wg@listhub.w3.org; Wed, 01 Apr 2015 11:32:52 +0000
Received: from alln-iport-1.cisco.com ([173.37.142.88]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <evyncke@cisco.com>) id 1YdGt7-0005zh-3g for ietf-http-wg@w3.org; Wed, 01 Apr 2015 11:32:50 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2804; q=dns/txt; s=iport; t=1427887969; x=1429097569; h=from:to:subject:date:message-id:mime-version; bh=s8jRRP82VWkgWlKdc93g9UiqgsYEmPg+WJp4voEvcio=; b=W0J64rpPRH1h3wqaqfxA0nMneyOnXYElfLt8IlEIUCrJDGHQ4yvySIDK NulZlOpnng03Gm5KM0aQolLGx6ZFucgGK+zKMM6Qqx4TM0M2TkDRJkfBV +CPhA6qsRPpYl3P8cic11MxKkkpUyUrBEZ59bZTAGEt6QWaQaoe/h5UQE w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ALBQAz1htV/51dJa1cgkNDUlwFxVaFc4FCTAEBAQEBAX2EGQKBCwEMdCcEHIgmDaUNqHcBAQgBAQEBHpAdhDgFim2FdoNyhgSUPiKDbm8BgUN/AQEB
X-IronPort-AV: E=Sophos;i="5.11,503,1422921600"; d="scan'208,217";a="137240379"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-1.cisco.com with ESMTP; 01 Apr 2015 11:32:22 +0000
Received: from xhc-rcd-x15.cisco.com (xhc-rcd-x15.cisco.com [173.37.183.89]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id t31BWM7E001595 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <ietf-http-wg@w3.org>; Wed, 1 Apr 2015 11:32:22 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.130]) by xhc-rcd-x15.cisco.com ([173.37.183.89]) with mapi id 14.03.0195.001; Wed, 1 Apr 2015 06:32:22 -0500
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: Linking a cookie to an IP address is a very bad in 2015...
Thread-Index: AQHQbG+Fl9W4nlcIVkGcZNdWVbT8WQ==
Date: Wed, 01 Apr 2015 11:32:05 +0000
Message-ID: <D141A3E5.4146E%evyncke@cisco.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.6.141106
x-originating-ip: [10.55.185.71]
Content-Type: multipart/alternative; boundary="_000_D141A3E54146Eevynckeciscocom_"
MIME-Version: 1.0
Received-SPF: pass client-ip=173.37.142.88; envelope-from=evyncke@cisco.com; helo=alln-iport-1.cisco.com
X-W3C-Hub-Spam-Status: No, score=-10.8
X-W3C-Hub-Spam-Report: BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5, W3C_NW=1
X-W3C-Scan-Sig: maggie.w3.org 1YdGt7-0005zh-3g f68de5db30406e2372962742cd26e234
X-Original-To: ietf-http-wg@w3.org
Subject: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/D141A3E5.4146E%25evyncke@cisco.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29173
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

In the era of scarce IPv4 addresses, servers should NOT link the HTTP session cookies to the user-agent IP address...

I have posted in the IETF V6OPS WG the following:
http://www.ietf.org/proceedings/92/slides/slides-92-v6ops-6.pdf
https://tools.ietf.org/html/draft-vyncke-v6ops-happy-eyeballs-cookie

In short, heavy use of NAT and/or dual-stack (IPv4/IPv6) can cause a change of user-agent address => lost of session.

Any suggestion on how this can be addressed? I know at least two major web sites in Belgium that removed IPv6 from their web site due to this issue (and their security department not wanting to unlink IP address from the session cookies)

Comments are welcome

-éric

v2.23.0 | Report a Bug | By Email