Destroying IdP sessions with client-side session storage
kwessel at illinois.edu
Mon Oct 21 21:55:37 EDT 2019
Not a problem, more a question of how the IdP works. We've got another SSO on our campus that has the unfortunate but rather difficult to exploit issue of session restoration of a terminated session by restoring a cookie. That is to say if you copy the cookie out of the browser's cookie storage then tell the SSO to log you out, you can then re-import the cookie and find that you've been logged back in. This, of course, involves exporting the cookie in a browser with an active session, and even after the session's restored, it's still only valid until its original session expiration time.
We did a quick test on the Shibboleth IdP, and it doesn't seem to have this issue. If you export the IdP cookies before calling the IdP logout handler and destroying the IdP session, and you then import the backed up IdP cookie, you're still prompted to reauthenticate.
The question, plain and simple: how does the IdP recognize an active session other than the client-side cookie? Or is our testing off and the cookie really is all there is to it?
I would hardly consider the issue with the other SSO an issue since, if you can get access to a browser with an active session, you can do a lot more than just export the cookie. But others are concerned and are asking why Shib doesn't seem to illustrate the same behavior.
More information about the users