Re: Linking a cookie to an IP address is a very bad in 2015...
"Walter H." <Walter.H@mathemainzel.info> Thu, 02 April 2015 19:13 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5A781A7035 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 Apr 2015 12:13:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.012
X-Spam-Level:
X-Spam-Status: No, score=-7.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gc0qkjLxpO10 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 2 Apr 2015 12:13:44 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F9FF1A1A30 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 2 Apr 2015 12:13:43 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1YdkTs-0002GZ-BQ for ietf-http-wg-dist@listhub.w3.org; Thu, 02 Apr 2015 19:08:44 +0000
Resent-Date: Thu, 02 Apr 2015 19:08:44 +0000
Resent-Message-Id: <E1YdkTs-0002GZ-BQ@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <Walter.H@mathemainzel.info>) id 1YdkTo-0002Fr-QW for ietf-http-wg@listhub.w3.org; Thu, 02 Apr 2015 19:08:40 +0000
Received: from mx02lb.world4you.com ([81.19.149.112]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <Walter.H@mathemainzel.info>) id 1YdkTn-0005fb-A4 for ietf-http-wg@w3.org; Thu, 02 Apr 2015 19:08:40 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mathemainzel.info; s=dkim11; h=Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=hXgZTZoYlffIDgltDM8FyBYga3imPViaUoJmQHRscIY=; b=CyjQ2kaL1GebXR2jOufwldriSMVqZlV0AD/WLpElOhabl/y1zK+La6gFkNLBSz1sTgneT42aSPfog7V8lmOdYh0iG/WUYlVff6lfcsYbXl45jZT8asqupV5SwfgssOkZaeapiM5jE8M8GMCR91R0eL7Ab4dzmHednkdbOZhBIII=;
Received: from [90.146.128.86] (helo=outgoing.router) by mx02lb.world4you.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <Walter.H@mathemainzel.info>) id 1YdkTL-0008MB-Ul; Thu, 02 Apr 2015 21:08:12 +0200
Received: <hidden>
Received: <hidden>
Received: <hidden>
Message-ID: <551D9397.3070300@mathemainzel.info>
Date: Thu, 02 Apr 2015 21:08:07 +0200
From: "Walter H." <Walter.H@mathemainzel.info>
Organization: Home
X-Mailer: Mozilla/5.0 (UNIX; U; Cray X-MP/48; en-US; rv:2.70) Gecko/20110929 Communicator/7.20
MIME-Version: 1.0
To: Willy Tarreau <w@1wt.eu>
CC: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
References: <D141A3E5.4146E%evyncke@cisco.com> <20150401114608.GA7832@1wt.eu>
In-Reply-To: <20150401114608.GA7832@1wt.eu>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms010308050901010802050201"
X-SA-Do-Not-Run: Yes
X-AV-Do-Run: Yes
X-SA-Exim-Connect-IP: 90.146.128.86
X-SA-Exim-Mail-From: Walter.H@mathemainzel.info
X-SA-Exim-Scanned: No (on mx02lb.world4you.com); SAEximRunCond expanded to false
Received-SPF: pass client-ip=81.19.149.112; envelope-from=Walter.H@mathemainzel.info; helo=mx02lb.world4you.com
X-W3C-Hub-Spam-Status: No, score=-2.6
X-W3C-Hub-Spam-Report: AWL=-3.482, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, W3C_NW=1
X-W3C-Scan-Sig: lisa.w3.org 1YdkTn-0005fb-A4 f4581ded95b7c6025c2ed7d4eb9ed0da
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/551D9397.3070300@mathemainzel.info>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29226
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 01.04.2015 13:46, Willy Tarreau wrote: > On Wed, Apr 01, 2015 at 11:32:05AM +0000, Eric Vyncke (evyncke) wrote: >> In the era of scarce IPv4 addresses, servers should NOT link the HTTP session >> cookies to the user-agent IP address... >> >> I have posted in the IETF V6OPS WG the following: >> http://www.ietf.org/proceedings/92/slides/slides-92-v6ops-6.pdf >> https://tools.ietf.org/html/draft-vyncke-v6ops-happy-eyeballs-cookie >> >> In short, heavy use of NAT and/or dual-stack (IPv4/IPv6) can cause a change >> of user-agent address => lost of session. >> >> Any suggestion on how this can be addressed? I know at least two major web >> sites in Belgium that removed IPv6 from their web site due to this issue (and >> their security department not wanting to unlink IP address from the session >> cookies) > I'm amazed people still do that in 2015, I had the idea to do it in 1999 > until I realized it was stupid and never did it! it is not stupid, it is very clever ..., why see below > So I'd have guessed that > 16 years later everyone would have also figured this! If IP addresses > were stable during a session, cookies would not be needed, the address > would be used instead. the WAN address, that everybody inside the LAN has in common? think of the following: in my country there existed a bank, that had in its electronic banking no session cookies; they had a worse solution, the session was stored in the URL, so it was possible not only on another browser or session of the same computer to use this URL also on another computer, because, the WAN address was the same ... and now think of MITM, nothing easier than this, you use the same session; can you really proof, money is lost, and it was not you?
- Linking a cookie to an IP address is a very bad i… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Zhong Yu
- Re: Linking a cookie to an IP address is a very b… Martin Thomson
- Re: Linking a cookie to an IP address is a very b… Zhong Yu
- Re: Linking a cookie to an IP address is a very b… Zhong Yu
- Re: Linking a cookie to an IP address is a very b… Martin Thomson
- Re: Linking a cookie to an IP address is a very b… Zhong Yu
- Re: Linking a cookie to an IP address is a very b… Michael Sweet
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Willy Tarreau
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Walter H.
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Max Bruce
- Re: Linking a cookie to an IP address is a very b… Jim Manico
- Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
- Re: Linking a cookie to an IP address is a very b… Walter H.