idp.session.consistentAddress and real security implications.

[Cantor, Scott]

> We do external authn and have gotten hit with this on the return to the IdP.

That would imply that the container session is itself unsafe. In which case, yikes, but additionally, it probably doesn't matter all that much whether you bind this cookie if that one isn't.

The IdP's session doesn't come into play at all for external authn (in V3).

-- Scott