idp.session.consistentAddress and real security implications.

Brent Putman putmanb at
Mon Apr 25 15:25:30 EDT 2016

On 4/25/16 2:15 PM, Cantor, Scott wrote:
> If Local Storage is equally vulnerable to theft, which is likely, then having that data on the client doesn't affect this risk much.

I was looking into this recently for other reasons.  My understanding so
far is that localStorage/sessionStorage is accessible from any
Javascript code loaded from the same domain that stored it.  So I guess
is same-origin(ish).

That means it's completely vulnerable via XSS attacks for theft,
tampering, etc, if the attacker manages to get the browser to load and
run Javascript.  For that reason, the info I found recommended that
local storage not be used for the storage of any security-sensitive
info, so as OAuth security tokens or any other kind of bearer token, and
of course not passwords, secrets, etc.

I was actually going to bring up soon what and how the IdP is actually
doing with local storage and the client-side storage service impl, just
so I understand better better the tradeoffs in general.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list