Re: Linking a cookie to an IP address is a very bad in 2015...

Jim Manico <jim@manico.net> Wed, 01 April 2015 21:49 UTC

Resent-Date: Wed, 01 Apr 2015 21:45:23 +0000
Resent-Message-Id: <E1YdQRv-0002wD-HD@frink.w3.org>
Content-Type: multipart/alternative; boundary="Apple-Mail-FC605D24-AD63-48CF-8D81-D5EE610E126C"
Mime-Version: 1.0 (1.0)
From: Jim Manico <jim@manico.net>
In-Reply-To: <B0E8A4F8-3D3C-44A1-B999-0B3E9034C00E@apple.com>
Date: Wed, 01 Apr 2015 14:44:49 -0700
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Transfer-Encoding: 7bit
Message-Id: <D666DA87-60FC-4DD7-B733-3855F5CEA190@manico.net>
References: <D141A3E5.4146E%evyncke@cisco.com> <B0E8A4F8-3D3C-44A1-B999-0B3E9034C00E@apple.com>
To: Michael Sweet <msweet@apple.com>
Received-SPF: none client-ip=209.85.192.177; envelope-from=jim@manico.net; helo=mail-pd0-f177.google.com
Subject: Re: Linking a cookie to an IP address is a very bad in 2015...
Archived-At: <http://www.w3.org/mid/D666DA87-60FC-4DD7-B733-3855F5CEA190@manico.net>
Resent-From: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list

Michael,

I manage the cheatsheet series for OWASP. If you think this should be changed hit me up off list at jim@owasp.org

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

> On Apr 1, 2015, at 1:13 PM, Michael Sweet <msweet@apple.com> wrote:
> 
> Here is the information our security guys rely on for best practices in web site session cookies:
> 
>     https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
> 
> Client IP address is currently listed as one of the properties that can be used to bind the session ID to a specific client.
> 
> I'm not sure whether current PHP, etc. use the client IP or User Agent to validate the session ID...
> 
> 
>> On Apr 1, 2015, at 7:32 AM, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote:
>> 
>> In the era of scarce IPv4 addresses, servers should NOT link the HTTP session cookies to the user-agent IP address...
>> 
>> I have posted in the IETF V6OPS WG the following:
>> http://www.ietf.org/proceedings/92/slides/slides-92-v6ops-6.pdf 
>> https://tools.ietf.org/html/draft-vyncke-v6ops-happy-eyeballs-cookie 
>> 
>> In short, heavy use of NAT and/or dual-stack (IPv4/IPv6) can cause a change of user-agent address => lost of session.
>> 
>> Any suggestion on how this can be addressed? I know at least two major web sites in Belgium that removed IPv6 from their web site due to this issue (and their security department not wanting to unlink IP address from the session cookies)
>> 
>> Comments are welcome
>> 
>> -éric
> 
> _________________________________________________________
> Michael Sweet, Senior Printing System Engineer, PWG Chair
>

Linking a cookie to an IP address is a very bad i… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Martin Thomson
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Martin Thomson
Re: Linking a cookie to an IP address is a very b… Zhong Yu
Re: Linking a cookie to an IP address is a very b… Michael Sweet
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Willy Tarreau
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Walter H.
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Max Bruce
Re: Linking a cookie to an IP address is a very b… Jim Manico
Re: Linking a cookie to an IP address is a very b… Eric Vyncke (evyncke)
Re: Linking a cookie to an IP address is a very b… Walter H.