Presentation is loading. Please wait.

Presentation is loading. Please wait.

HTTP State Management Mechanisms with Multiple Addresses User Agents draft-vyncke-v6ops-happy-eyeballs- cookie-01 92nd IETF, Dallas, Mar 2015 V6OPS WG.

Published byAnnabella Casey Modified over 9 years ago

Similar presentations

Presentation on theme: "HTTP State Management Mechanisms with Multiple Addresses User Agents draft-vyncke-v6ops-happy-eyeballs- cookie-01 92nd IETF, Dallas, Mar 2015 V6OPS WG."— Presentation transcript:

1 HTTP State Management Mechanisms with Multiple Addresses User Agents draft-vyncke-v6ops-happy-eyeballs- cookie-01 92nd IETF, Dallas, Mar 2015 V6OPS WG Eric Vyncke

2 HTTP has no transaction concept Application stores transaction states (e-commerce chart) on the server as a ‘session’ ‘sessions’ are identified by an opaque value which is unique for the length of the transaction This value is transported as a HTTP header cookie This value is usually an index into a server table containing all transactions To prevent ‘session hijacking’, some servers store the client IP address and check it on each HTTP request HTTP Session Cookie Source: wikimedia and Pinheiro

3 Session Cookies at Work John Doe with IP address A Server Log “John Doe” in, here are my credentials Cookie C is for: John Doe Address A Authorized Shopping Cart: I want to add item FOO to my cart, here is my cookie I want to add item BAR to my cart, here is my cookie Cookie C is for: John Doe Address A Authorized Shopping Cart: FOO Cookie C is for: John Doe Address A Authorized Shopping Cart: FOO BAR Credentials valid, logged in, here is a new cookie Item FOO added Item BAR added

4 User starts a transaction with IP address A Server allocates cookie C Server stores address A and checks it for all HTTP requests having cookie C CGN change address to B (non RFC 6888 compliant) Next requests from user still uses cookie C but comes from address B Server checks the address, A != B and server refuses the request Session Cookie and IP Address Change

5 Session Cookies Changing Address John Doe with IPv6 address A Server Log “John Doe” in, here are my credentials Cookie C is for: John Doe Address A Authorized Shopping Cart: I want to add item FOO to my cart, here is my cookie Credentials valid, logged in, here is a new cookie You are not authorized John Doe with IPv4 address B

6 Return to login screen or Symptom of HTTP Requests being Denied

7 At least two content providers has stopped dual-stack deployment Infosec not ready to unlink session cookie from IP address Impact of IPv6 Deployment

8 Changes in -01 Extended -00 to other scenarios Received a couple of (supportive) comments Posted on apps-discuss => no feedback

9 Summary One IP address does not mean one user anymore Changing of IPv4 address on the course of a session causes problems Unsure about what to do... – Working group item? – Moving to APPS?

Download ppt "HTTP State Management Mechanisms with Multiple Addresses User Agents draft-vyncke-v6ops-happy-eyeballs- cookie-01 92nd IETF, Dallas, Mar 2015 V6OPS WG."

Similar presentations

PHP syntax basics. Personal Home Page This is a Hypertext processor It works on the server side It demands a Web-server to be installed.

PHP syntax basics. Personal Home Page This is a Hypertext processor It works on the server side It demands a Web-server to be installed.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
CSE 190: Internet E-Commerce Exam 2 Sample Questions.

CSE 190: Internet E-Commerce Exam 2 Sample Questions.
IETF 80 th 1 Analysis of Solution Candidates to Reveal the Origin IP Address in Shared Address Deployments draft-boucadair-intarea-nat-reveal-analysis-01.

IETF 80 th 1 Analysis of Solution Candidates to Reveal the Origin IP Address in Shared Address Deployments draft-boucadair-intarea-nat-reveal-analysis-01.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
1 SIPREC Recording Metadata format (draft-ram-siprec-metadata-format- 01) IETF-80 SIPREC MEETING R Parthasarathi On behalf of the team Team: Paul Kyzivat,

1 SIPREC Recording Metadata format (draft-ram-siprec-metadata-format- 01) IETF-80 SIPREC MEETING R Parthasarathi On behalf of the team Team: Paul Kyzivat,
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
Eric Vyncke, May 14 th 2015 HTTP State Management Mechanisms with Multiple Addresses User Agents draft-vyncke-v6ops-happy-eyeballs-cookie-01 RIPE 70, May.

Eric Vyncke, May 14 th 2015 HTTP State Management Mechanisms with Multiple Addresses User Agents draft-vyncke-v6ops-happy-eyeballs-cookie-01 RIPE 70, May.
IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.

IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.
SHOPPING CARTS CHAPTER 19. E-COMMERCE Typically, an e-commerce site will have public pages and admin pages.

SHOPPING CARTS CHAPTER 19. E-COMMERCE Typically, an e-commerce site will have public pages and admin pages.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
1 IPv6 Deployment Scenarios in 802.16(e) Networks draft-ietf-v6ops-802-16-deployment-scenarios-01 Myung-Ki Shin, ETRI Youn-Hee Han, KUT Sang-Eon Kim, KT.

1 IPv6 Deployment Scenarios in (e) Networks draft-ietf-v6ops deployment-scenarios-01 Myung-Ki Shin, ETRI Youn-Hee Han, KUT Sang-Eon Kim, KT.
12/3/2012ISC329 Isabelle Bichindaritz1 PHP and MySQL Advanced Features.

12/3/2012ISC329 Isabelle Bichindaritz1 PHP and MySQL Advanced Features.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.

Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
Www.monash.edu.au Wei Dong and Jan Newmarch June 2005 Session Management for Web Services by using SIP.

Wei Dong and Jan Newmarch June 2005 Session Management for Web Services by using SIP.
Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.

Lecture 8 – Cookies & Sessions SFDV3011 – Advanced Web Development 1.
IETF 60 – San Diegodraft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Aravind.

IETF 60 – San Diegodraft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Aravind.

Similar presentations

Ads by Google