idp.session.consistentAddress and real security implications.

Jim Fox fox at
Mon Apr 25 14:04:48 EDT 2016

>> We do external authn and have gotten hit with this on the return to the IdP.
> That would imply that the container session is itself unsafe. In which case, yikes, but additionally, it probably doesn't matter all that much whether you bind this cookie if that one isn't.
> The IdP's session doesn't come into play at all for external authn (in V3).

I was thinking V2.  Maybe consistentAddress will work for me in V3.  I'll 
try it that way.


More information about the users mailing list