idp.session.consistentAddress and real security implications.

[Cantor, Scott]

> We've been getting increasing complaints, especially from mobile users that
> move between 4G/3G and wifi, that they are loosing their IdP SSO sessions.

The consequence being (leaving logout aside) that they have to login more, but nothing actually breaks, right?

> Therefore I've been asked to get some concrete data about how much
> security consistentAddress adds to the IdP sessions, or in other words how
> much security we lose be disabling it.

I think unbound cookies are an incredibly vulnerable session token. I don't know enough about the security implications of HTML Local Storage, so it's possible that using that for session storage could obviate some of the threats, but I think that would depend on other factors, such as whether the container session was bound or not.

I can only speak for myself, but "inconvenience" would not come anywhere near my threshold for unbinding them, and I'm pretty sure my security people would back that view.

It's fair to say that the problems with logout might change that view, but since I think the typical result for logout is going to be failure anyway, it doesn't seem like enough of an argument to me.

-- Scott