nanog mailing list archives
Re: Question re session hijacking in dual stack environments w/MacOS
From: Laszlo Hanyecz <laszlo () heliacal net>
Date: Sat, 26 Sep 2015 15:39:03 +0000
On 2015-09-26 14:34, David Hubbard wrote:
Websites that require some type of authentication that is handled via session cookies have been booting our users out randomly with "your ip address has changed" type message. This occurs when their Mac decides to switch between protocols because the site views it as a session hijacking attempt when Joe User with session ID xyz switches from 192.0.2.10 to 2001:db8::1:1:a or vice versa.
This sounds like a really poor practice on the part of the website operators. Users on wireless devices may be switching networks throughout the same session (wifi/LTE), or there could be a cluster of proxies, or short DHCP leases, or tor circuit changes, or privacy extensions, etc. This is almost as bad as using GeoIP databases to authenticate.
-Laszlo
Current thread:
- Question re session hijacking in dual stack environments w/MacOS David Hubbard (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Ca By (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Laszlo Hanyecz (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Mark Tinka (Sep 29)
- <Possible follow-ups>
- Re: Question re session hijacking in dual stack environments w/MacOS Brandon Butterworth (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Michael Brown (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Dovid Bender (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Valdis . Kletnieks (Sep 27)
- Re: Question re session hijacking in dual stack environments w/MacOS Connor Wilkins (Sep 27)
- Re: Question re session hijacking in dual stack environments w/MacOS Christopher Morrow (Sep 27)
- Re: Question re session hijacking in dual stack environments w/MacOS John Schimmel (Sep 28)
- Re: Question re session hijacking in dual stack environments w/MacOS Laszlo Hanyecz (Sep 28)