idp.session.consistentAddress and real security implications.

Cantor, Scott cantor.2 at
Mon Apr 25 15:55:20 EDT 2016

> That means it's completely vulnerable via XSS attacks for theft, tampering,
> etc, if the attacker manages to get the browser to load and run Javascript.

I assumed.

> For that reason, the info I found recommended that local storage not be
> used for the storage of any security-sensitive info, so as OAuth security
> tokens or any other kind of bearer token, and of course not passwords,
> secrets, etc.

And cookies are the original bearer token and are obviously vulnerable, which is where we came in.

> I was actually going to bring up soon what and how the IdP is actually doing
> with local storage and the client-side storage service impl, just so I
> understand better better the tradeoffs in general.

It stores a lot of potentially sensitive info, encrypted with AES-GCM. It doesn't store passwords unless you tell it to.

-- Scott

More information about the users mailing list