idp.session.consistentAddress and real security implications.

[Jeffrey Crawford]

Jeffrey
​C.​


Both pilots and IT professionals require training and currency before
charging into clouds!
---------------------------------------

On Mon, Apr 25, 2016 at 10:26 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> > We've been getting increasing complaints, especially from mobile users
> that
> > move between 4G/3G and wifi, that they are loosing their IdP SSO
> sessions.
>
> The consequence being (leaving logout aside) that they have to login more,
> but nothing actually breaks, right?
>
​Correct, people are just annoyed ;).​


>
> > Therefore I've been asked to get some concrete data about how much
> > security consistentAddress adds to the IdP sessions, or in other words
> how
> > much security we lose be disabling it.
>
> I think unbound cookies are an incredibly vulnerable session token. I
> don't know enough about the security implications of HTML Local Storage, so
> it's possible that using that for session storage could obviate some of the
> threats, but I think that would depend on other factors, such as whether
> the container session was bound or not.
>
> I can only speak for myself, but "inconvenience" would not come anywhere
> near my threshold for unbinding them, and I'm pretty sure my security
> people would back that view.
>
> It's fair to say that the problems with logout might change that view, but
> since I think the typical result for logout is going to be failure anyway,
> it doesn't seem like enough of an argument to me.
>
​Thanks, so it does have a real security implication is what you're saying.
(I'm not sure if I'll need details but it impacts security significantly is
a viable answer.)​


>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160425/7fcf85cc/attachment-0001.html>