WICG / dbsc

Other
317 stars 24 forks source link

IP binding with Cookies cant be enough ? #25

Open threatdecoder opened 7 months ago

threatdecoder commented 7 months ago

Hello Team,

I may be wrong, but I wanted to understand why IP address binding to cookie cant be enough to solve this problem?

Server maintains a cookie with the IP address of the session with which it is associated.

Whenever Server receives cookie from different IP address, it will raise for re-login.

Yes, network change will trigger this but we can accept it given the elimination of Stealer Malware.

Sora2455 commented 7 months ago

Major services like social media, where session theft would be devastating, would find constant re-authentication untenable - especially on mobile, where network changes are frequent and common.

arnar commented 7 months ago

IPs do change frequently, e.g. when moving between mobile and wifi connections, and as Sora2455 points out, frequent reauth can be high enough friction to make that untenable for many applications.

IPs can also be spoofable, or overtaken by attackers, and the mitigation mechanisms for that would be very far removed from either the client or the server.