Shibboleth SP3 Premature Session Expiration
Cantor, Scott
cantor.2 at osu.edu
Wed Dec 19 09:58:16 EST 2018
On 12/19/18, 9:53 AM, "users on behalf of Michael Kim" <users-bounces at shibboleth.net on behalf of michaeljkim at gmail.com> wrote:
> I think the documentation is fine. I think what confused me was the examples I see say checkAddress=“false” but no
> mention of consistentAddress. Because people, like myself, who are more generalists and not specialists. It’s hard to
> know that they kind of work hand in hand.
They don't really work hand in hand per se, they're two different things that both have something to do with the client address, but in very different ways, and one of them is much more dangerous than the other.
> I think it would help if in the example shibboleth xml file to specify both checkAddress=“false” and
> consistentAddress=“false” also.
Since I think a really terrible idea to ever set consistentAddress to false (you add a significant security weakness IMHO), I really don't favor encouraging people to do that.
-- Scott
More information about the users
mailing list