Re: Linking a cookie to an IP address is a very bad in 2015...
Willy Tarreau <w@1wt.eu> Wed, 01 April 2015 19:58 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 071711A8A83 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 1 Apr 2015 12:58:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PK3par4i7old for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 1 Apr 2015 12:58:26 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E68591A8702 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 1 Apr 2015 12:58:25 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YdOjH-0006Yn-FZ for ietf-http-wg-dist@listhub.w3.org; Wed, 01 Apr 2015 19:55:11 +0000
Resent-Date: Wed, 01 Apr 2015 19:55:11 +0000
Resent-Message-Id: <E1YdOjH-0006Yn-FZ@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <w@1wt.eu>) id 1YdOjF-0006Y6-FZ for ietf-http-wg@listhub.w3.org; Wed, 01 Apr 2015 19:55:09 +0000
Received: from wtarreau.pck.nerim.net ([62.212.114.60] helo=1wt.eu) by lisa.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1YdOjE-0007qC-Hj for ietf-http-wg@w3.org; Wed, 01 Apr 2015 19:55:09 +0000
Received: (from willy@localhost) by pcw.home.local (8.14.3/8.14.3/Submit) id t31JsdW2008032; Wed, 1 Apr 2015 21:54:39 +0200
Date: Wed, 01 Apr 2015 21:54:39 +0200
From: Willy Tarreau <w@1wt.eu>
To: Max Bruce <max.bruce12@gmail.com>
Cc: Jim Manico <jim@manico.net>, Michael Sweet <msweet@apple.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20150401195439.GC8021@1wt.eu>
References: <D141A3E5.4146E%evyncke@cisco.com> <20150401114608.GA7832@1wt.eu> <04DD393C-711F-4C9E-B21C-B184B8972DFC@apple.com> <20150401150716.GA7871@1wt.eu> <25C792A9-56D0-452D-A46C-561A44E4F229@manico.net> <20150401151634.GB7871@1wt.eu> <CABb0SYQ5=5BHSH-JQ5XsCi_bQ8h5FN=WNPvAYkzy94Bm=yTVwg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABb0SYQ5=5BHSH-JQ5XsCi_bQ8h5FN=WNPvAYkzy94Bm=yTVwg@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-4.0
X-W3C-Hub-Spam-Report: AWL=-2.002, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1YdOjE-0007qC-Hj e27350996d655f65f3aeb98d95cd4646
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/20150401195439.GC8021@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29196
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Wed, Apr 01, 2015 at 12:48:36PM -0700, Max Bruce wrote: > What about linking to several? I wrote a session system for my Web Server > that will only allow access to the original Session ID if the IP & > User-Agent has remained unchanged, in order to protect against session > hijacking. I've found it's highly effective, unless you IP Spoof. Sure it's highly effective. Just like it's highly effective in randomly denying access to people who browse using multiple WiFi access point or who switch between 3G and WiFi. Willy
- Linking a cookie to an IP address is a very bad i… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Zhong Yu
- Re: Linking a cookie to an IP address is a very b… Martin Thomson
- Re: Linking a cookie to an IP address is a very b… Zhong Yu
- Re: Linking a cookie to an IP address is a very b… Zhong Yu
- Re: Linking a cookie to an IP address is a very b… Martin Thomson
- Re: Linking a cookie to an IP address is a very b… Zhong Yu
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Walter H.