nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question re session hijacking in dual stack environments w/MacOS

From: Brandon Butterworth <brandon () rd bbc co uk>
Date: Sun, 27 Sep 2015 00:35:05 +0100 (BST)
From: David Hubbard <dhubbard () dino hostasaurus com>
Websites that require some type of authentication that is handled via
session cookies have been booting our users out randomly with "your ip
address has changed" type message.  This occurs when their Mac decides
to switch between protocols because the site views it as a session
hijacking attempt when Joe User with session ID xyz switches from
192.0.2.10 to 2001:db8::1:1:a or vice versa.

Has anyone run into this?


It's 1997 again? This used to be a common IPv4 problem for us as users
exited through a cluster of squid caches which could result in a
different address per request. Those site eventually learnt after much
feedback not to assume on IPv4 address continuity.

brandon
Previous By Date Next
Previous By Thread Next

Current thread: