fsebugoutzone.org:9999

       Post AUJ32sVm98KWV9jAVE by BenBen@chaos.social
 (DIR) More posts by BenBen@chaos.social
 (DIR) Post #AUJ2HHhRC7E4ilUJTk by stux@mstdn.social
       2023-04-04T10:50:40Z
       
       0 likes, 0 repeats
       
       Is there a reason why cookies cannot be bind to an IP for example? If one would to steal cookies :blobcatcookie: they simply shouldn&#39;t work from a dif IP🤔 Ofc it&#39;s a little tricker when switching between networks but perhaps worth it
       
 (DIR) Post #AUJ2XV3rHfJWnKhuSG by BenBen@chaos.social
       2023-04-04T10:53:40Z
       
       0 likes, 0 repeats
       
       @stux The whole security-concept of browsers is historically built around &quot;origins&quot;. And origins are based on domains/urls and not IPs…see https://developer.mozilla.org/en-US/docs/Glossary/Origin
       
 (DIR) Post #AUJ2cPGoF6IyHX6Xqa by RickRae@fosstodon.org
       2023-04-04T10:54:31Z
       
       0 likes, 0 repeats
       
       @stuxHow would you handle dynamic addressing, CGNAT, etc?
       
 (DIR) Post #AUJ2cqIrjYzc7jH4Ii by stux@mstdn.social
       2023-04-04T10:54:34Z
       
       0 likes, 0 repeats
       
       @BenBen No, no, I mean from the users not the origin 😉 So an extra check for &#39;users cookies&#39; that only work on a certain user IP
       
 (DIR) Post #AUJ2hCDYCPAdFQrdVA by stux@mstdn.social
       2023-04-04T10:55:24Z
       
       0 likes, 0 repeats
       
       @RickRae Good q..
       
 (DIR) Post #AUJ2oqOxC7vzu3qR5E by marcin_sawicki@social.abstractionleak.com
       2023-04-04T10:56:48Z
       
       0 likes, 0 repeats
       
       @stux The first thing I can think of. A case when a user is accessing the service with their smartphone, using mobile data. The IP would change frequently, invalidating cookies each time
       
 (DIR) Post #AUJ2sUpLLjKS9Lvhaq by stux@mstdn.social
       2023-04-04T10:57:28Z
       
       0 likes, 0 repeats
       
       @marcin_sawicki Yeah i was thinking the same but wouldn&#39;t that be worth it? :blobcatgiggle: basically just once
       
 (DIR) Post #AUJ31fx9LwfBGKxTG4 by tomasveneny@mstdn.social
       2023-04-04T10:59:10Z
       
       0 likes, 0 repeats
       
       @stux One website has this. I&#39;m avoiding of this website ... this is more about a privacy than securityHowever I&#39;m using VPN (so they won&#39;t have my real IP) but still.
       
 (DIR) Post #AUJ32sVm98KWV9jAVE by BenBen@chaos.social
       2023-04-04T10:59:21Z
       
       0 likes, 0 repeats
       
       @stux ah, got it. Could easily implemented on the app-level, but I would opt for ssl-client-certs for such restricted usecases most of the time I think.
       
 (DIR) Post #AUJ39j6HXFStLA4JGq by optimant@hachyderm.io
       2023-04-04T11:00:35Z
       
       0 likes, 0 repeats
       
       @stux some sites do this in business logic or at a load balancer level. trick is it makes you log out if your IP drifts mid session, as is common for mobile and laptop users.A better control is to not own long-duration authentication cookies of your own. Be as stateless as possible; punt to external SSO if you can and make it outside your scope of concern.
       
 (DIR) Post #AUJ3b016kR5ZcneYTY by hedgiept@koyu.space
       2023-04-04T11:04:57Z
       
       0 likes, 0 repeats
       
       @stux because dynamic public IPs are a thing for residential users; meaning, if one so much as turns off their modem, the next time they turn it on they could have a different IP assigned by their ISP.
       
 (DIR) Post #AUJ3nWSZx29HiiTS1w by marcin_sawicki@social.abstractionleak.com
       2023-04-04T11:07:44Z
       
       0 likes, 0 repeats
       
       @stux Hard time for people working on the train :craziedtrollface:
       
 (DIR) Post #AUJ4Lu98ONON1nm1ia by bekopharm@social.tchncs.de
       2023-04-04T11:14:00Z
       
       0 likes, 0 repeats
       
       @stux Did you know that you can add an IP to a cert?
       
 (DIR) Post #AUJ9asl2KxIcpsSn2W by AlexGizis@mstdn.social
       2023-04-04T12:12:44Z
       
       0 likes, 0 repeats
       
       @stux sure you can, make your cookie a signed jwt with the ip in it, reject the cookie any time ips don’t match. Why would you want to?  Users change ips all the time, and many users can share same ip. I’m not seeing what this would gain you.
       
 (DIR) Post #AUJrERkITwqqfjEIEK by ernstdemoor@mstdn.social
       2023-04-04T20:21:42Z
       
       0 likes, 0 repeats
       
       @stux I use this since the beginning for our own CMS, and this really makes things a lot more secure. There is a catch however:Before ipv6 was commonly used (yeah, I’m that old) it was easy. But nowadays a client sometimes automatically switches from ipv4 to ipv6. Therefore I modified the code to accept one IP address for each.Also I don’t like the concept of cookies for several reasons, so nowadays I code the session key in the url. Still guarded by the IP.
       
 (DIR) Post #AUKpqwQumd0d5gDKQC by kkarhan@mstdn.social
       2023-04-05T07:40:59Z
       
       0 likes, 0 repeats
       
       @stux well, with HTTP-AUTH that seems to be built-in cuz a reauth is required with a timed/out connection or changed IP.Cookies are per design agnostic of the underlying connection, which makes them incapable of doing so.Thus cookies should not be used for authentification and enterprises should instead provide means to do whitelisting of IPs allowed to access instead.
       
 (DIR) Post #AULA4vuEcFILCoS1Ka by otakugenx@mastodon.social
       2023-04-05T11:27:32Z
       
       0 likes, 0 repeats
       
       @stux I bound cookies to an IP in some perl CGI I did like 15 years ago.