Question re session hijacking in dual stack environments w/MacOS
John Schimmel
johns at a10networks.com
Sun Sep 27 12:24:17 UTC 2015
I can¹t speak to every case, but I ran into a similar issue with our WAF
product, so I can explain what was happening there.
Most Web application firewalls have cross-site request forgery protection.
When a form is downloaded, the firewall inserts a hidden field or cookie
that contains the IP address of the request. When the form is submitted,
the firewall then verifies that the post is sent from the same address. If
the client does a get via IPv6, and the form contains a form action for a
URL that is better reached via IPv4 then the firewall sees the post coming
from a different IP address and refuses the request.
This is nothing specifically to do with MacOS, it is true of any multi-homed
system. The options are either to rewrite the client to guarantee that the
address in a post always matches the corresponding get; to maintain
different URLs on the server such that requests from IPv6 clients always
return action URLs that will go to an IPv6 hostname, and vice-versa for
IPv4; or to disable CSRF protection.
Later,
John
> From: David Hubbard <dhubbard at dino.hostasaurus.com>
>
> Hey all, as we've slowly deployed IPv6 to our end users, it has begun to
> cause some issues for those on Mac's specifically. Apple apparently has
> an algorithm at some point in the network stack to decide whether IPv4
> or IPv6 is, perhaps, 'better' or 'faster' at any given point in time
> during an ongoing session. This allows a computer talking to a dual
> stack remote website to flip flop between v4 and v6 as activity is
> conducted.
>
> Websites that require some type of authentication that is handled via
> session cookies have been booting our users out randomly with "your ip
> address has changed" type message. This occurs when their Mac decides
> to switch between protocols because the site views it as a session
> hijacking attempt when Joe User with session ID xyz switches from
> 192.0.2.10 to 2001:db8::1:1:a or vice versa.
>
> Has anyone run into this? Our users on other platforms don't seem to
> have this issue; linux and MS desktops seem to just use v6 if it's
> available and v4 if not.
>
> Thanks,
>
> David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4560 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20150927/22ee6655/attachment.bin>
More information about the NANOG
mailing list