idp.session.consistentAddress and real security implications.
jeffreyc at ucsc.edu
Mon Apr 25 14:08:23 EDT 2016
Both pilots and IT professionals require training and currency before
charging into clouds!
On Mon, Apr 25, 2016 at 10:26 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> > We've been getting increasing complaints, especially from mobile users
> > move between 4G/3G and wifi, that they are loosing their IdP SSO
> The consequence being (leaving logout aside) that they have to login more,
> but nothing actually breaks, right?
Correct, people are just annoyed ;).
> > Therefore I've been asked to get some concrete data about how much
> > security consistentAddress adds to the IdP sessions, or in other words
> > much security we lose be disabling it.
> I think unbound cookies are an incredibly vulnerable session token. I
> don't know enough about the security implications of HTML Local Storage, so
> it's possible that using that for session storage could obviate some of the
> threats, but I think that would depend on other factors, such as whether
> the container session was bound or not.
> I can only speak for myself, but "inconvenience" would not come anywhere
> near my threshold for unbinding them, and I'm pretty sure my security
> people would back that view.
> It's fair to say that the problems with logout might change that view, but
> since I think the typical result for logout is going to be failure anyway,
> it doesn't seem like enough of an argument to me.
Thanks, so it does have a real security implication is what you're saying.
(I'm not sure if I'll need details but it impacts security significantly is
a viable answer.)
> -- Scott
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users