IdP Session ID question

Cantor, Scott cantor.2 at
Fri May 8 17:35:43 UTC 2020

On 5/8/20, 1:14 PM, "users on behalf of Mak, Steve" <users-bounces at on behalf of makst at> wrote:

> 1. How sensitive is the idp session id value?

That depends on #3 and on your session storage model but even client storage is vulnerable to theft because there's no equivalent to the HttpOnly flag on local storage.

> 2. Has anyone written a script to perform a one-way hash on the value for logging purposes?

You can look at the hashed username audit extractor example in the audit-system.xml file to see how it can be done.

> 3. Does the idp session id sensitivity change if we have idp.session.consistentAddress = false ?

I think it does, lots of people disagree obviously since virtually no applications do that anymore, nor do Java containers in general.

Either IP spoofing is easy, in which that's unconscionable, or it's very hard, in which case it's of no value to check it. It seems like one of the two must be the truth.

-- Scott

More information about the users mailing list