IdP Session ID question
cantor.2 at osu.edu
Fri May 8 17:35:43 UTC 2020
On 5/8/20, 1:14 PM, "users on behalf of Mak, Steve" <users-bounces at shibboleth.net on behalf of makst at upenn.edu> wrote:
> 1. How sensitive is the idp session id value?
That depends on #3 and on your session storage model but even client storage is vulnerable to theft because there's no equivalent to the HttpOnly flag on local storage.
> 2. Has anyone written a script to perform a one-way hash on the value for logging purposes?
You can look at the hashed username audit extractor example in the audit-system.xml file to see how it can be done.
> 3. Does the idp session id sensitivity change if we have idp.session.consistentAddress = false ?
I think it does, lots of people disagree obviously since virtually no applications do that anymore, nor do Java containers in general.
Either IP spoofing is easy, in which that's unconscionable, or it's very hard, in which case it's of no value to check it. It seems like one of the two must be the truth.
More information about the users