idp.session.consistentAddress and real security implications.
Brent Putman
putmanb at georgetown.edu
Mon Apr 25 16:03:33 EDT 2016
On 4/25/16 3:55 PM, Cantor, Scott wrote:
>> For that reason, the info I found recommended that local storage not be
>> used for the storage of any security-sensitive info, so as OAuth security
>> tokens or any other kind of bearer token, and of course not passwords,
>> secrets, etc.
> And cookies are the original bearer token and are obviously vulnerable, which is where we came in.
True. The articles I read however argued that in general cookies are
still more secure and a better choice for security info since, unlike
local storage, you can and should set HttpOnly and thereby at least
prevent the Javascript XSS vectors.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160425/3330cf03/attachment-0001.html>
More information about the users
mailing list