idp.session.consistentAddress and real security implications.

Cantor, Scott cantor.2 at
Mon Apr 25 14:15:29 EDT 2016

> ​Thanks, so it does have a real security implication is what you're saying. (I'm
> not sure if I'll need details but it impacts security significantly is a viable
> answer.)​

I don't believe browsers meaningfully protect cookies at this point, given the intentional circumvention of same-origin policy as a routine development strategy, the amount of malware on machines, etc. YMMV and I'm sure others' do.

The cookie plus the stored data associated with it is the only thing securing a session with the IdP and that's what provides SSO. If the stored data is on the server, then the cookie is a longish-lived bearer token and the only theft mitigation is client address.

If Local Storage is equally vulnerable to theft, which is likely, then having that data on the client doesn't affect this risk much.

-- Scott

More information about the users mailing list