IETF Logo Mail Archive

Re: Linking a cookie to an IP address is a very bad in 2015...

"Walter H." <Walter.H@mathemainzel.info> Fri, 03 April 2015 07:14 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E39E1A9144 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 3 Apr 2015 00:14:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Aw6bLy22FfK7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 3 Apr 2015 00:14:40 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9837D1A9142 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 3 Apr 2015 00:14:40 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YdvlK-0002ka-NL for ietf-http-wg-dist@listhub.w3.org; Fri, 03 Apr 2015 07:11:30 +0000
Resent-Date: Fri, 03 Apr 2015 07:11:30 +0000
Resent-Message-Id: <E1YdvlK-0002ka-NL@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <Walter.H@mathemainzel.info>) id 1YdvlH-0002jt-2o for ietf-http-wg@listhub.w3.org; Fri, 03 Apr 2015 07:11:27 +0000
Received: from mx09lb.world4you.com ([81.19.149.119]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <Walter.H@mathemainzel.info>) id 1YdvlF-0001s8-BJ for ietf-http-wg@w3.org; Fri, 03 Apr 2015 07:11:26 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mathemainzel.info; s=dkim11; h=Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=3jXW7/LyofFXXbdN3x0FiIHBphsGpCfiWR3ls51jz54=; b=lFNEw+LiVLaMRQrzDKpsAORYWdtCmizTlrboU3Aq+iutiz2H2qTE76US86I5wNJTQ+Ffcfu2LYOsZ7KBj7E48knU0yQCtm7jcQVCK4AiNHDahm0M27AbHVZQ0Wjxt/U06aWG5puUhJ2hEB0SJpniaso3V/tfuoKTIgKTDy+svvo=;
Received: from [90.146.128.86] (helo=outgoing.router) by mx09lb.world4you.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <Walter.H@mathemainzel.info>) id 1Ydvkn-0007n1-Rz; Fri, 03 Apr 2015 09:10:58 +0200
Received: <hidden>
Received: <hidden>
Received: <hidden>
Message-ID: <551E3D00.5090501@mathemainzel.info>
Date: Fri, 03 Apr 2015 09:10:56 +0200
From: "Walter H." <Walter.H@mathemainzel.info>
Organization: Home
X-Mailer: Mozilla/5.0 (UNIX; U; Cray X-MP/48; en-US; rv:2.70) Gecko/20110929 Communicator/7.20
MIME-Version: 1.0
To: Max Bruce <max.bruce12@gmail.com>
CC: Michael Sweet <msweet@apple.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
References: <D141A3E5.4146E%evyncke@cisco.com> <20150401114608.GA7832@1wt.eu> <04DD393C-711F-4C9E-B21C-B184B8972DFC@apple.com> <20150401150716.GA7871@1wt.eu> <25C792A9-56D0-452D-A46C-561A44E4F229@manico.net> <20150401151634.GB7871@1wt.eu> <CABb0SYQ5=5BHSH-JQ5XsCi_bQ8h5FN=WNPvAYkzy94Bm=yTVwg@mail.gmail.com>
In-Reply-To: <CABb0SYQ5=5BHSH-JQ5XsCi_bQ8h5FN=WNPvAYkzy94Bm=yTVwg@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms080007020004080400050901"
X-SA-Do-Not-Run: Yes
X-AV-Do-Run: Yes
X-SA-Exim-Connect-IP: 90.146.128.86
X-SA-Exim-Mail-From: Walter.H@mathemainzel.info
X-SA-Exim-Scanned: No (on mx09lb.world4you.com); SAEximRunCond expanded to false
Received-SPF: pass client-ip=81.19.149.119; envelope-from=Walter.H@mathemainzel.info; helo=mx09lb.world4you.com
X-W3C-Hub-Spam-Status: No, score=-3.6
X-W3C-Hub-Spam-Report: AWL=-2.575, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, W3C_NW=1
X-W3C-Scan-Sig: lisa.w3.org 1YdvlF-0001s8-BJ 5fc108d51554a056238ca463d4381f8f
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/551E3D00.5090501@mathemainzel.info>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29230
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 01.04.2015 21:48, Max Bruce wrote:
> What about linking to several? I wrote a session system for my Web 
> Server that will only allow access to the original Session ID if the 
> IP & User-Agent has remained unchanged, in order to protect against 
> session hijacking. I've found it's highly effective, unless you IP Spoof.
what kind of mechanism do you use for transmitting the Session ID from 
host to server?
does it prevent access from an ident configured but different host 
behind a NAT?

v2.46.0 | Report a Bug | By Email | System Status