Question re session hijacking in dual stack environments w/MacOS
Laszlo Hanyecz
laszlo at heliacal.net
Sat Sep 26 15:39:03 UTC 2015
On 2015-09-26 14:34, David Hubbard wrote:
> Websites that require some type of authentication that is handled via
> session cookies have been booting our users out randomly with "your ip
> address has changed" type message. This occurs when their Mac decides
> to switch between protocols because the site views it as a session
> hijacking attempt when Joe User with session ID xyz switches from
> 192.0.2.10 to 2001:db8::1:1:a or vice versa.
>
>
This sounds like a really poor practice on the part of the website
operators. Users on wireless devices may be switching networks
throughout the same session (wifi/LTE), or there could be a cluster of
proxies, or short DHCP leases, or tor circuit changes, or privacy
extensions, etc. This is almost as bad as using GeoIP databases to
authenticate.
-Laszlo
More information about the NANOG
mailing list