nanog mailing list archives

Re: Question re session hijacking in dual stack environments w/MacOS

From: John Schimmel <johns () a10networks com>
Date: Sun, 27 Sep 2015 12:24:17 +0000

I can¹t speak to every case, but I ran into a similar issue with our WAF
product, so I can explain what was happening there.

Most Web application firewalls have cross-site request forgery protection.
When a form is downloaded, the firewall inserts a hidden field or cookie
that contains the IP address of the request.  When the form is submitted,
the firewall then verifies that the post is sent from the same address.  If
the client does a get via IPv6, and the form contains a form action for a
URL that is better reached via IPv4 then the firewall sees the post coming
from a different IP address and refuses the request.

This is nothing specifically to do with MacOS, it is true of any multi-homed
system.  The options are either to rewrite the client to guarantee that the
address in a post always matches the corresponding get; to maintain
different URLs on the server such that requests from IPv6 clients always
return action URLs that will go to an IPv6 hostname, and vice-versa for
IPv4; or to disable CSRF protection.

Later,
John

From: David Hubbard <dhubbard () dino hostasaurus com>

Hey all, as we've slowly deployed IPv6 to our end users, it has begun to
cause some issues for those on Mac's specifically.  Apple apparently has
an algorithm at some point in the network stack to decide whether IPv4
or IPv6 is, perhaps, 'better' or 'faster' at any given point in time
during an ongoing session.  This allows a computer talking to a dual
stack remote website to flip flop between v4 and v6 as activity is
conducted.

Websites that require some type of authentication that is handled via
session cookies have been booting our users out randomly with "your ip
address has changed" type message.  This occurs when their Mac decides
to switch between protocols because the site views it as a session
hijacking attempt when Joe User with session ID xyz switches from
192.0.2.10 to 2001:db8::1:1:a or vice versa.

Has anyone run into this?  Our users on other platforms don't seem to
have this issue; linux and MS desktops seem to just use v6 if it's
available and v4 if not.

Thanks,

David

Attachment: smime.p7s
Description:

Current thread:

Question re session hijacking in dual stack environments w/MacOS David Hubbard (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Ca By (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Laszlo Hanyecz (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Mark Tinka (Sep 29)
- <Possible follow-ups>
- Re: Question re session hijacking in dual stack environments w/MacOS Brandon Butterworth (Sep 26)
  - Re: Question re session hijacking in dual stack environments w/MacOS Michael Brown (Sep 26)
- Re: Question re session hijacking in dual stack environments w/MacOS Dovid Bender (Sep 26)
  - Re: Question re session hijacking in dual stack environments w/MacOS Valdis . Kletnieks (Sep 27)
  - Re: Question re session hijacking in dual stack environments w/MacOS Connor Wilkins (Sep 27)
    - Re: Question re session hijacking in dual stack environments w/MacOS Christopher Morrow (Sep 27)
- Re: Question re session hijacking in dual stack environments w/MacOS John Schimmel (Sep 28)
  - Re: Question re session hijacking in dual stack environments w/MacOS Laszlo Hanyecz (Sep 28)