idp.session.consistentAddress and real security implications.

Brent Putman putmanb at
Mon Apr 25 16:03:33 EDT 2016

On 4/25/16 3:55 PM, Cantor, Scott wrote:
>> For that reason, the info I found recommended that local storage not be
>> used for the storage of any security-sensitive info, so as OAuth security
>> tokens or any other kind of bearer token, and of course not passwords,
>> secrets, etc.
> And cookies are the original bearer token and are obviously vulnerable, which is where we came in.

True.  The articles I read however argued that in general cookies are
still more secure and a better choice for security info since, unlike
local storage, you can and should set HttpOnly and thereby at least
prevent the Javascript XSS vectors.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list