IETF Logo Mail Archive

Re: Linking a cookie to an IP address is a very bad in 2015...

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Thu, 02 April 2015 06:37 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97CA51A88E3 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 1 Apr 2015 23:37:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UqJhm0j5WPrW for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 1 Apr 2015 23:37:52 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 735641A88E1 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 1 Apr 2015 23:37:52 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YdYiT-000120-Mn for ietf-http-wg-dist@listhub.w3.org; Thu, 02 Apr 2015 06:35:01 +0000
Resent-Date: Thu, 02 Apr 2015 06:35:01 +0000
Resent-Message-Id: <E1YdYiT-000120-Mn@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <evyncke@cisco.com>) id 1YdYiM-0000y6-Ol for ietf-http-wg@listhub.w3.org; Thu, 02 Apr 2015 06:34:54 +0000
Received: from rcdn-iport-7.cisco.com ([173.37.86.78]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <evyncke@cisco.com>) id 1YdYiK-0000lJ-KE for ietf-http-wg@w3.org; Thu, 02 Apr 2015 06:34:54 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13556; q=dns/txt; s=iport; t=1427956492; x=1429166092; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=WC5GILVu/tqa1lswLp8DlTxLPwN9Xbhs9vpPnMqp9MI=; b=GJGHEWTE+Jptktb6kQKY/BfdkNJPUbiFgqLgUC7mQ9M5NGpUKoSiu1Ig 4vStZgf5oX3tGHjzuguIODMgVw9CKIhiRWjTkj6QRgCDeFIEp6fNjNk98 skKpP2/O9nqHjdrclkpjNlxr/1Gmb/dyzEZYSPapNC+RPsl5VWku/s03L g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BIBQCs4hxV/49dJa1CFwOCRUNSXAWDEMJOhXMCHIEpTAEBAQEBAX6EHgEBAQICI1YQAgEIEQMBAigDAgICMBQJCAIEAQ0FCRCIFg03tCaYJAEBAQEBAQEBAQEBAQEBAQEBAQEBAReLKYReCgEMBAcRgleBRQWQZINyhgSBHYwphnsig25vAYEDJBx/AQEB
X-IronPort-AV: E=Sophos;i="5.11,509,1422921600"; d="scan'208,217";a="408560996"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-7.cisco.com with ESMTP; 02 Apr 2015 06:34:26 +0000
Received: from xhc-aln-x02.cisco.com (xhc-aln-x02.cisco.com [173.36.12.76]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id t326YPtm031392 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 2 Apr 2015 06:34:25 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.130]) by xhc-aln-x02.cisco.com ([173.36.12.76]) with mapi id 14.03.0195.001; Thu, 2 Apr 2015 01:34:25 -0500
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Jim Manico <jim@manico.net>, Michael Sweet <msweet@apple.com>, "jim@owasp.org" <jim@owasp.org>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: Linking a cookie to an IP address is a very bad in 2015...
Thread-Index: AQHQbG+Fl9W4nlcIVkGcZNdWVbT8WZ0467aAgAAZZICAALV+AA==
Date: Thu, 02 Apr 2015 06:34:04 +0000
Message-ID: <D142AD09.4172C%evyncke@cisco.com>
References: <D141A3E5.4146E%evyncke@cisco.com> <B0E8A4F8-3D3C-44A1-B999-0B3E9034C00E@apple.com> <D666DA87-60FC-4DD7-B733-3855F5CEA190@manico.net>
In-Reply-To: <D666DA87-60FC-4DD7-B733-3855F5CEA190@manico.net>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.6.141106
x-originating-ip: [10.55.185.71]
Content-Type: multipart/alternative; boundary="_000_D142AD094172Cevynckeciscocom_"
MIME-Version: 1.0
Received-SPF: pass client-ip=173.37.86.78; envelope-from=evyncke@cisco.com; helo=rcdn-iport-7.cisco.com
X-W3C-Hub-Spam-Status: No, score=-14.6
X-W3C-Hub-Spam-Report: DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1YdYiK-0000lJ-KE 554f06925da912cea4f2bd3a99565b32
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/D142AD09.4172C%25evyncke@cisco.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29215
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Jim

Thanks for offering to update the OWASP cheat sheet in the sections:

  *   "Session ID Content" (where it should be stated that the stored client IP address cannot be used for authentication check),
  *   "Session ID guessing" (where it should be stated that blocking on IP address can actually block hundreds of valid users when this address is shared by hundreds of ISP subscribers)
  *   but the major change is in "binding the session ID to other user properties" where clearly the session ID cannot be linked anymore to the client IP address

There is also another thing to change in this cheat sheet in section "Logging Sessions Life Cycle": logging the IP address has little meaning nowadays (heavy NAT in use), see RFC 6302 which recommends logging the remote/client TCP port as well.

I am more than happy to assist you in rewriting those sections

-éric



From: Jim Manico <jim@manico.net<mailto:jim@manico.net>>
Date: mercredi 1 avril 2015 17:44
To: Michael Sweet <msweet@apple.com<mailto:msweet@apple.com>>
Cc: Eric Vyncke <evyncke@cisco.com<mailto:evyncke@cisco.com>>, "ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>" <ietf-http-wg@w3.org<mailto:ietf-http-wg@w3.org>>
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...

Michael,

I manage the cheatsheet series for OWASP. If you think this should be changed hit me up off list at jim@owasp.org<mailto:jim@owasp.org>

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

On Apr 1, 2015, at 1:13 PM, Michael Sweet <msweet@apple.com<mailto:msweet@apple.com>> wrote:

Here is the information our security guys rely on for best practices in web site session cookies:

    https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

Client IP address is currently listed as one of the properties that can be used to bind the session ID to a specific client.

I'm not sure whether current PHP, etc. use the client IP or User Agent to validate the session ID...


On Apr 1, 2015, at 7:32 AM, Eric Vyncke (evyncke) <evyncke@cisco.com<mailto:evyncke@cisco.com>> wrote:

In the era of scarce IPv4 addresses, servers should NOT link the HTTP session cookies to the user-agent IP address...

I have posted in the IETF V6OPS WG the following:
http://www.ietf.org/proceedings/92/slides/slides-92-v6ops-6.pdf
https://tools.ietf.org/html/draft-vyncke-v6ops-happy-eyeballs-cookie

In short, heavy use of NAT and/or dual-stack (IPv4/IPv6) can cause a change of user-agent address => lost of session.

Any suggestion on how this can be addressed? I know at least two major web sites in Belgium that removed IPv6 from their web site due to this issue (and their security department not wanting to unlink IP address from the session cookies)

Comments are welcome

-éric


_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

v2.23.0 | Report a Bug | By Email