Use HTTP verb in Service Provider request mapper
Fabien BERTEAU
fabien.berteau at manomano.com
Thu Oct 21 13:51:55 UTC 2021
There are also many points for me to confirm. This is the object of this
prototype. Regarding cookies, it is indeed HTTPOnly which takes them out of
document.cookie, it was a mistake to mention secure in addition.
Do you mean that there exists some kind of attack that could catch SAML
assertions ?
Fabien Berteau | Security Architect
Bordeaux
fabien.berteau at manomano.com <aurelien.lajoie at manomano.com>
Le jeu. 21 oct. 2021 à 15:43, Cantor, Scott <cantor.2 at osu.edu> a écrit :
> On 10/21/21, 9:28 AM, "users on behalf of Fabien BERTEAU" <
> users-bounces at shibboleth.net on behalf of fabien.berteau at manomano.com>
> wrote:
>
> > The main reason why I do not agree with the very principles of OIDC
> is that the access token is a bearer
> > security.
>
> Yes, but so is a SAML assertion (or artifact) and so are session cookies.
> And only Shibboleth even pretends the IP address ever matters.
>
> > If the session cookie is HTTP only and secure, then it is out of
> scope and should be automatically loaded by
> > the browser when it is called via its XMLHTTPRequest interface.
>
> I actually had thought that was the point of HttpOnly, to prevent that,
> but I'm led to understand that it only prevents access via document.cookie.
> So, I guess that's somewhat rational as long as you control every last bit
> of code on that cookie's origin.
>
> As you can see, I'm really not the one to be assessing it, my
> understanding is many years old.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211021/5cd64610/attachment.htm>
More information about the users
mailing list