@techreport{vyncke-v6ops-happy-eyeballs-cookie-01,
    number =    {draft-vyncke-v6ops-happy-eyeballs-cookie-01},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-vyncke-v6ops-happy-eyeballs-cookie/01/},
    author =    {Éric Vyncke},
    title =     {{HTTP State Management Mechanisms with Multiple Addresses User Agents}},
    pagetotal = 7,
    year =      2015,
    month =     mar,
    day =       5,
    abstract =  {HTTP servers usually save session states in their persistent storage indexed by session cookies generated by the HTTP servers. It is up to the HTTP user-agent to send this session cookie on each HTTP request. Some HTTP servers check whether the cookie is associated with the HTTP user-agent by the means of the user-agent IP address. Everything linking a state to an IP address (such as OAuth access code) to an IP address has the same issue. If the Happy Eyeball mechanism is used to select between IPv6 and IPv4, it may happen that while using the same HTTP server, some HTTP requests are done over IPv6 and the others over IPv4, which leads to two different sets of session states in the HTTP server. This has the consequence of inconsistencies at the HTTP server. The only purpose of this document is to document this issue in more details than in section 8.2 of RFC 6883 including security considerations and mitigations. A similar problem arises with the use of non RFC 6888 compliant Carrier-Grade NAT (CGN) devices used to access an IPv4-only HTTP server or HTTP user-agent using multi-homing.},
}