idp.session.consistentAddress and real security implications.

Jeffrey Crawford jeffreyc at
Mon Apr 25 14:08:23 EDT 2016


Both pilots and IT professionals require training and currency before
charging into clouds!

On Mon, Apr 25, 2016 at 10:26 AM, Cantor, Scott <cantor.2 at> wrote:

> > We've been getting increasing complaints, especially from mobile users
> that
> > move between 4G/3G and wifi, that they are loosing their IdP SSO
> sessions.
> The consequence being (leaving logout aside) that they have to login more,
> but nothing actually breaks, right?
​Correct, people are just annoyed ;).​

> > Therefore I've been asked to get some concrete data about how much
> > security consistentAddress adds to the IdP sessions, or in other words
> how
> > much security we lose be disabling it.
> I think unbound cookies are an incredibly vulnerable session token. I
> don't know enough about the security implications of HTML Local Storage, so
> it's possible that using that for session storage could obviate some of the
> threats, but I think that would depend on other factors, such as whether
> the container session was bound or not.
> I can only speak for myself, but "inconvenience" would not come anywhere
> near my threshold for unbinding them, and I'm pretty sure my security
> people would back that view.
> It's fair to say that the problems with logout might change that view, but
> since I think the typical result for logout is going to be failure anyway,
> it doesn't seem like enough of an argument to me.
​Thanks, so it does have a real security implication is what you're saying.
(I'm not sure if I'll need details but it impacts security significantly is
a viable answer.)​

> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list