IdP Session ID question

Mak, Steve makst at
Fri May 8 20:55:53 UTC 2020

Thank you Scott.

Your answers helped us decide to hash the idp session before sticking it into the audit log. It wasn't that hard to do either.

- Steve

On 5/8/20, 13:35, "users on behalf of Cantor, Scott" <users-bounces at on behalf of cantor.2 at> wrote:

On 5/8/20, 1:14 PM, "users on behalf of Mak, Steve" <users-bounces at on behalf of makst at> wrote:

> 1. How sensitive is the idp session id value?

That depends on #3 and on your session storage model but even client storage is vulnerable to theft because there's no equivalent to the HttpOnly flag on local storage.

> 2. Has anyone written a script to perform a one-way hash on the value for logging purposes?

You can look at the hashed username audit extractor example in the audit-system.xml file to see how it can be done.

> 3. Does the idp session id sensitivity change if we have idp.session.consistentAddress = false ?

I think it does, lots of people disagree obviously since virtually no applications do that anymore, nor do Java containers in general.

Either IP spoofing is easy, in which that's unconscionable, or it's very hard, in which case it's of no value to check it. It seems like one of the two must be the truth.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list