Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eric Vyncke, May 14 th 2015 HTTP State Management Mechanisms with Multiple Addresses User Agents draft-vyncke-v6ops-happy-eyeballs-cookie-01 RIPE 70, May.

Published byAugustus Carroll Modified over 9 years ago

Similar presentations

Presentation on theme: "Eric Vyncke, May 14 th 2015 HTTP State Management Mechanisms with Multiple Addresses User Agents draft-vyncke-v6ops-happy-eyeballs-cookie-01 RIPE 70, May."— Presentation transcript:

1 Eric Vyncke, May 14 th 2015 HTTP State Management Mechanisms with Multiple Addresses User Agents draft-vyncke-v6ops-happy-eyeballs-cookie-01 RIPE 70, May 2015, Amsterdam, NL IPv6 WG Eric Vyncke evyncke@cisco.com @evynckeevyncke@cisco.com

2 Eric Vyncke, May 14th 2015 HTTP Session Cookie HTTP has no transaction concept Application stores transaction states (e-commerce cart) on the server as a ‘session’ ‘sessions’ are identified by an opaque value which is unique for the length of the transaction – This value is transported as a HTTP header cookie – This value is usually an index into a server table containing all transactions To prevent ‘session hijacking’, some servers store the client IP address and check it on each HTTP request Source: wikimedia and Pinheiro

3 Eric Vyncke, May 14th 2015 Session Cookies at Work John Doe with IP address A Server Log “John Doe” in, here are my credentials Cookie C is for: John Doe Address A Authorized Shopping Cart: I want to add item FOO to my cart, here is my cookie I want to add item BAR to my cart, here is my cookie Cookie C is for: John Doe Address A Authorized Shopping Cart: FOO Cookie C is for: John Doe Address A Authorized Shopping Cart: FOO BAR Credentials valid, logged in, here is a new cookie Item FOO added Item BAR added

4 Eric Vyncke, May 14th 2015 Session Cookie and IP Address Change User starts a transaction with IP address A Server allocates cookie C Server stores address A and checks it for all HTTP requests having cookie C The CRUX: – Happy Eyeball (RFC 6555) switches address family and use address B – CGN change address to B (non RFC 6888 compliant) Next requests from user still uses cookie C but comes from address B Server checks the address, A != B and server refuses the request

5 Eric Vyncke, May 14th 2015 Session Cookies Changing Address John Doe with IPv6 address A Server Log “John Doe” in, here are my credentials Cookie C is for: John Doe Address A Authorized Shopping Cart: I want to add item FOO to my cart, here is my cookie Credentials valid, logged in, here is a new cookie You are not authorized John Doe with IPv4 address B

6 Eric Vyncke, May 14th 2015 Symptom of HTTP Requests being Denied Return to login screen or

7 Eric Vyncke, May 14th 2015 Impact of IPv6 Deployment At least two content providers in Belgium have stopped dual-stack deployment – Infosec not ready to unlink session cookie from IP address It is slowing down IPv6 content deployment

8 Eric Vyncke, May 14th 2015 Summary One IP address does not mean one user anymore Changing of IP address on the course of a session causes problems RFC 6883 section 8.2 briefly mention this Caused by CGN, Happy Eyeball, Multi-Interface,... MPTCP should solve it (if widely implemented) Working with OWASP to fix: – https://www.owasp.org/index.php/Session_Management_Cheat_Sheet https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

9 Questions?

Download ppt "Eric Vyncke, May 14 th 2015 HTTP State Management Mechanisms with Multiple Addresses User Agents draft-vyncke-v6ops-happy-eyeballs-cookie-01 RIPE 70, May."

Similar presentations

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
CSE 190: Internet E-Commerce Exam 2 Sample Questions.

CSE 190: Internet E-Commerce Exam 2 Sample Questions.
Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and VOIP session vulnerabilities Mainuddin.

Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and VOIP session vulnerabilities Mainuddin.
IETF 80 th 1 Analysis of Solution Candidates to Reveal the Origin IP Address in Shared Address Deployments draft-boucadair-intarea-nat-reveal-analysis-01.

IETF 80 th 1 Analysis of Solution Candidates to Reveal the Origin IP Address in Shared Address Deployments draft-boucadair-intarea-nat-reveal-analysis-01.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
DHCP: Dual-Stack Issues draft-ietf-dhc-dual-stack-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.

DHCP: Dual-Stack Issues draft-ietf-dhc-dual-stack-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Web Caching: Replication on the World Wide Web Jonathan Bulava CSC8530 – Distributed Systems Dr. Paul Schragger.

Web Caching: Replication on the World Wide Web Jonathan Bulava CSC8530 – Distributed Systems Dr. Paul Schragger.
Cisco Public 1 © 2014 Cisco and/or its affiliates. All rights reserved. Eric VYNCKE, Cisco, And many others September 2014

Cisco Public 1 © 2014 Cisco and/or its affiliates. All rights reserved. Eric VYNCKE, Cisco, And many others September 2014
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.
SHOPPING CARTS CHAPTER 19. E-COMMERCE Typically, an e-commerce site will have public pages and admin pages.

SHOPPING CARTS CHAPTER 19. E-COMMERCE Typically, an e-commerce site will have public pages and admin pages.
1 APNIC Open Address Policy Meeting Special Interest Group Session March 2nd, Korea, Seoul.

1 APNIC Open Address Policy Meeting Special Interest Group Session March 2nd, Korea, Seoul.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
12/3/2012ISC329 Isabelle Bichindaritz1 PHP and MySQL Advanced Features.

12/3/2012ISC329 Isabelle Bichindaritz1 PHP and MySQL Advanced Features.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.

Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.

Similar presentations

Ads by Google