Destroying IdP sessions with client-side session storage
Wessel, Keith
kwessel at illinois.edu
Tue Oct 22 09:40:35 EDT 2019
No HTMLLocal storage for the IdP, just client-side cookies. And yes to enforcing client address consistency. So, with that said, does the IdP check anything beyond the contents of the cookie for session validity?
Keith
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Tuesday, October 22, 2019 7:05 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Destroying IdP sessions with client-side session storage
On 10/21/19, 9:55 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
> We did a quick test on the Shibboleth IdP, and it doesn't seem to have this issue. If you export the IdP cookies before
> calling the IdP logout handler and destroying the IdP session, and you then import the backed up IdP cookie, you're
> still prompted to reauthenticate.
That depends on whether HTML storage is enabled, not to mention that the IdP enforces address restrictions. I consider it a security vulnerability in Jetty and Tomcat that they don't.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list