IdP session and consistentAddress
cantor.2 at osu.edu
Sat Apr 2 20:31:15 EDT 2016
> Does the IdP maintain two sessions for two diffrent IPs adresses ?
> Does it invalidate the first one ?
It doesn't invalidate the first one but in the normal case that it's not a deliberate attack, the client's session cookie will be updated with a new session ID so the original one is orphaned.
> Is there any arguments against turning idp.session.consistentAddress off ?
NAT and the like.
More information about the users