idp.session.consistentAddress and real security implications.
Jeffrey Crawford
jeffreyc at ucsc.edu
Wed Apr 27 13:30:43 EDT 2016
Jeffrey E. Crawford
ITS Application Administrator (IdM)
831-459-4365
jeffreyc at ucsc.edu
Both pilots and IT professionals require training and currency before
charging into clouds!
---------------------------------------
On Mon, Apr 25, 2016 at 11:15 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> > Thanks, so it does have a real security implication is what you're
> saying. (I'm
> > not sure if I'll need details but it impacts security significantly is a
> viable
> > answer.)
>
> I don't believe browsers meaningfully protect cookies at this point, given
> the intentional circumvention of same-origin policy as a routine
> development strategy, the amount of malware on machines, etc. YMMV and I'm
> sure others' do.
>
> The cookie plus the stored data associated with it is the only thing
> securing a session with the IdP and that's what provides SSO. If the stored
> data is on the server, then the cookie is a longish-lived bearer token and
> the only theft mitigation is client address.
>
Can you elaborate on "stored data is on the server"? would this be
"idp.session.StorageService = shibboleth.StorageService"
>
> If Local Storage is equally vulnerable to theft, which is likely, then
> having that data on the client doesn't affect this risk much.
>
Would this be the case if server being set to "idp.session.StorageService
= shibboleth.ClientSessionStorageService"
>
> -- Scott
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160427/8b6809e3/attachment.html>
More information about the users
mailing list