Question re session hijacking in dual stack environments w/MacOS

Mailman List Mirror (Read Only)
1

From: David Hubbard <dhubbard@dino.hostasaurus.com>
Websites that require some type of authentication that is handled via
session cookies have been booting our users out randomly with "your ip
address has changed" type message. This occurs when their Mac decides
to switch between protocols because the site views it as a session
hijacking attempt when Joe User with session ID xyz switches from
192.0.2.10 to 2001:db8::1:1:a or vice versa.

Has anyone run into this?

It's 1997 again? This used to be a common IPv4 problem for us as users
exited through a cluster of squid caches which could result in a
different address per request. Those site eventually learnt after much
feedback not to assume on IPv4 address continuity.

brandon

2

‎> Those site eventually learnt after much feedback not to assume on IPv4 address continuity.

I could envision that those checks might now be relaxed‎ to checking for address continuity in the same /24 for instance.

But when you're seeing the same session being used from two wildly different places (in this case, IPv4 and IPv6) at the SAME TIME, that does seem rather suspicious in the absence of other information.

M.