Destroying IdP sessions with client-side session storage

Cantor, Scott cantor.2 at
Tue Oct 22 08:05:12 EDT 2019

On 10/21/19, 9:55 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

> We did a quick test on the Shibboleth IdP, and it doesn't seem to have this issue. If you export the IdP cookies before
> calling the IdP logout handler and destroying the IdP session, and you then import the backed up IdP cookie, you're
> still prompted to reauthenticate.

That depends on whether HTML storage is enabled, not to mention that the IdP enforces address restrictions. I consider it a security vulnerability in Jetty and Tomcat that they don't.
-- Scott

More information about the users mailing list