idp.session.consistentAddress and real security implications.
Brent Putman
putmanb at georgetown.edu
Mon Apr 25 15:25:30 EDT 2016
On 4/25/16 2:15 PM, Cantor, Scott wrote:
>
> If Local Storage is equally vulnerable to theft, which is likely, then having that data on the client doesn't affect this risk much.
I was looking into this recently for other reasons. My understanding so
far is that localStorage/sessionStorage is accessible from any
Javascript code loaded from the same domain that stored it. So I guess
is same-origin(ish).
That means it's completely vulnerable via XSS attacks for theft,
tampering, etc, if the attacker manages to get the browser to load and
run Javascript. For that reason, the info I found recommended that
local storage not be used for the storage of any security-sensitive
info, so as OAuth security tokens or any other kind of bearer token, and
of course not passwords, secrets, etc.
I was actually going to bring up soon what and how the IdP is actually
doing with local storage and the client-side storage service impl, just
so I understand better better the tradeoffs in general.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160425/1c016616/attachment.html>
More information about the users
mailing list