undefined | Better HN

0 pointsangelbob13y ago0 comments

"Leakable" in the sense that you can hand it to somebody else and they can actually use it.

A cookie is leakable because the client chooses to send it, so copying it to somebody else is really bad. A server-assigned per-connection ID is not leakable unless you can spoof the IP address of the one you're sending as.

0 comments

jvdongen13y ago

In principle you could already achieve that by binding a session (and corresponding cookie) to the client's IP address. No big deal.

Problem you may have is that some clients are behind proxy farms and can arrive with different source IP addresses within the scope of a single session.

If you do not bind the 'server-assigned-per-connection ID' to an IP address they become just as 'leakable' as a session cookie.

vidarh13y ago

Doing server side IP checks is already easy, but in reality it can lead to massive amounts of user complaints when their sessions keep disappearing, because as it turns out, some user segments have a lot of users coming through proxies where each request is not guaranteed to come from the same IP.

eli13y ago

Or their mobile device roams from WiFi to cell data.

I suspect anyone suggesting that an IP be part of the session security has never actually tried it on a large scale.

angelbobOP13y ago

Sure. It'd be nice to have some kind of actual standard to at least make a good best guess here. Cookies are a really, really bad start.

ay13y ago

Then a translation device at carrier assigns the client a different address. I heard first-hand that this is very annoying.

j / k navigate · click thread line to collapse