idp.session.consistentAddress and real security implications.

Brent Putman putmanb at
Mon Apr 25 17:05:35 EDT 2016

On 4/25/16 4:05 PM, Cantor, Scott wrote:
>> True.  The articles I read however argued that in general cookies are still
>> more secure and a better choice for security info since, unlike local storage,
>> you can and should set HttpOnly and thereby at least prevent the Javascript
>> XSS vectors.
> That is about the saddest thing I've read in a while.

I'm not saying that they're right, only reporting what my (probably
small) sampling seemed to agree on. Still trying to understand all the
issues myself. There's a tradeoff either way: with local storage you
have to worry about rogue Javascript; with cookies-as-bearer-tokens
there's the problem with binding it to the browser and legitimate user.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list