Shibboleth IDP appspider scan results and questions

Crawford, Jeffrey jcrawford at
Wed Jul 3 13:22:09 EDT 2019

Good morning,

We had a security group testing a SAML enabled application, and due to the authentication being run by our IDP, it got scanned as well. Most of the report elements were considered low, however I wanted to check in to see if we should be doing anything to improve our posture. The first one is the only one classified as medium so I’ll start with that one.

  1.  Session fixation – Server accepts fixed Session ID in cookie == I believe this is a component of SSO and that the idp.session.consistentAddress = true offers the mitigation.
  2.  Browser response caching – Update Cache-Control to include “no-store, no-cache”, Expires to equal 0, and Pragma to include “no-cache” == My guess is that there isn’t a problem with adding these headers, I believe by default it just has “no-cache” on the Cache-Control
  3.  Document Encoding – Explicitly set document encoding to UTF-8 == I hadn’t heard of this one, any input on this?
  4.  Disable TRACE == Any problem with doing this?
  5.  Add HttpOnly in the response header == If Javascript requires access to  the cookie, then this will break things, not sure if it does.

Thanks for any input

Jeffrey C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list