Pooled IP access question

Mike Flynn shibbolethlynda at yahoo.com
Tue Apr 1 18:22:12 EDT 2014

OK, so it sounds like even with HttpOnly, I am introducing a vulnerability.  If I set HttpOnly on the cookie property, will that affect all users with existing cookies?
On Tuesday, April 1, 2014 2:10 PM, "Cantor, Scott" <cantor.2 at osu.edu> wrote:
On 4/1/14, 4:49 PM, "Mike Flynn" <shibbolethlynda at yahoo.com> wrote:

>I have a client whose IP address changes between requests.  I have been
>using my test system to let them work out their details.  I added
>consistentAddress="false" to my session stanza to allow them to test like
>this.  My question is, what is the security risk by allowing this?

An HTTP session cookie has no protection other than secrecy and address
binding, so you're removing the second and anybody with the right cookie
value is able to impersonate the session. Since browsers are riddled with
security holes around same-origin policies, that basically means if
somebody wants to steal the session, they probably can if they control a
site the user visits.

You can mitigate this slightly by making sure you use HttpOnly as a cookie
property, which is automatic in newer SP versions, but not in yours.

>Does it facilitate man in the middle attacks?

Among other kinds, yes.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140401/4ba96ad4/attachment-0001.html 

More information about the users mailing list