Re: Linking a cookie to an IP address is a very bad in 2015...

Michael Sweet <msweet@apple.com> Wed, 01 April 2015 14:57 UTC

Resent-Date: Wed, 01 Apr 2015 14:53:15 +0000
Resent-Message-Id: <E1YdK15-00013i-AI@frink.w3.org>
MIME-version: 1.0 (Mac OS X Mail 8.2 \(2095\))
Content-type: text/plain; charset="us-ascii"
From: Michael Sweet <msweet@apple.com>
In-reply-to: <20150401114608.GA7832@1wt.eu>
Date: Wed, 01 Apr 2015 10:52:32 -0400
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-transfer-encoding: quoted-printable
Message-id: <04DD393C-711F-4C9E-B21C-B184B8972DFC@apple.com>
References: <D141A3E5.4146E%evyncke@cisco.com> <20150401114608.GA7832@1wt.eu>
To: Willy Tarreau <w@1wt.eu>
Received-SPF: pass client-ip=17.151.62.26; envelope-from=msweet@apple.com; helo=mail-in4.apple.com
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/04DD393C-711F-4C9E-B21C-B184B8972DFC@apple.com>
Resent-From: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list

Willy,

> On Apr 1, 2015, at 7:46 AM, Willy Tarreau <w@1wt.eu> wrote:
> ...
> I'm amazed people still do that in 2015, I had the idea to do it in 1999
> until I realized it was stupid and never did it! So I'd have guessed that
> 16 years later everyone would have also figured this! If IP addresses
> were stable during a session, cookies would not be needed, the address
> would be used instead. So it's precisely because addresses are unreliable
> that cookies exist.

Um, no.  IP addresses, by themselves, have never been useful as unique client identifiers.  NAT, DHCP, proxies, roaming, etc. all contribute to their instability.

Typically the client address will be incorporated into the session cookie value which contains a hash of a timestamp, client address, client-supplied headers (like User-Agent), server-supplied nonce value, and user ID and password (for sites with user accounts).

The main reason for incorporating client values into the session cookie hash is to (imperfectly) tie the cookie to the identity of the client (vs. the user) and (imperfectly) protect against replay attacks, particularly for HTTP connections.

From an operational standpoint, I've used this method on dozens of web sites over the years and maybe had 10 reports of problems due to NAT/proxies, over millions of visitors.  There may be some "selection bias" in that number (all of my web sites have been tech-oriented) but I don't think this is something that affects a large number of users given its continued, widespread use.

(Note: I'm not claiming that this practice is perfect or that we shouldn't try to come up with something better...)

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

Linking a cookie to an IP address is a very bad i… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Martin Thomson
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Martin Thomson
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Walter H.