idp.session.consistentAddress and real security implications.
Brent Putman
putmanb at georgetown.edu
Mon Apr 25 17:05:35 EDT 2016
On 4/25/16 4:05 PM, Cantor, Scott wrote:
>> True. The articles I read however argued that in general cookies are still
>> more secure and a better choice for security info since, unlike local storage,
>> you can and should set HttpOnly and thereby at least prevent the Javascript
>> XSS vectors.
> That is about the saddest thing I've read in a while.
I'm not saying that they're right, only reporting what my (probably
small) sampling seemed to agree on. Still trying to understand all the
issues myself. There's a tradeoff either way: with local storage you
have to worry about rogue Javascript; with cookies-as-bearer-tokens
there's the problem with binding it to the browser and legitimate user.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160425/9d0b380a/attachment.html>
More information about the users
mailing list