IdP Session ID question

[Mak, Steve]

Thank you Scott.

Your answers helped us decide to hash the idp session before sticking it into the audit log. It wasn't that hard to do either.

- Steve

On 5/8/20, 13:35, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:

On 5/8/20, 1:14 PM, "users on behalf of Mak, Steve" <users-bounces at shibboleth.net on behalf of makst at upenn.edu> wrote:

> 1. How sensitive is the idp session id value?

That depends on #3 and on your session storage model but even client storage is vulnerable to theft because there's no equivalent to the HttpOnly flag on local storage.

> 2. Has anyone written a script to perform a one-way hash on the value for logging purposes?

You can look at the hashed username audit extractor example in the audit-system.xml file to see how it can be done.

> 3. Does the idp session id sensitivity change if we have idp.session.consistentAddress = false ?

I think it does, lots of people disagree obviously since virtually no applications do that anymore, nor do Java containers in general.

Either IP spoofing is easy, in which that's unconscionable, or it's very hard, in which case it's of no value to check it. It seems like one of the two must be the truth.

-- Scott


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net