idp.session.consistentAddress and real security implications.

Jeffrey Crawford jeffreyc at
Wed Apr 27 13:30:43 EDT 2016

Jeffrey E. Crawford
ITS Application Administrator (IdM)
jeffreyc at

Both pilots and IT professionals require training and currency before
charging into clouds!

On Mon, Apr 25, 2016 at 11:15 AM, Cantor, Scott <cantor.2 at> wrote:

> > ​Thanks, so it does have a real security implication is what you're
> saying. (I'm
> > not sure if I'll need details but it impacts security significantly is a
> viable
> > answer.)​
> I don't believe browsers meaningfully protect cookies at this point, given
> the intentional circumvention of same-origin policy as a routine
> development strategy, the amount of malware on machines, etc. YMMV and I'm
> sure others' do.
> The cookie plus the stored data associated with it is the only thing
> securing a session with the IdP and that's what provides SSO. If the stored
> data is on the server, then the cookie is a longish-lived bearer token and
> the only theft mitigation is client address.
​Can you elaborate on "stored data is on the server"? would this be
"idp.session.StorageService = shibboleth.StorageService"

> If Local Storage is equally vulnerable to theft, which is likely, then
> having that data on the client doesn't affect this risk much.
​Would this be the case if server being set to "idp.session.StorageService
= shibboleth.ClientSessionStorageService"

> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list