Use HTTP verb in Service Provider request mapper

Fabien BERTEAU fabien.berteau at
Thu Oct 21 13:51:55 UTC 2021

There are also many points for me to confirm. This is the object of this
prototype. Regarding cookies, it is indeed HTTPOnly which takes them out of
document.cookie, it was a mistake to mention secure in addition.

Do you mean that there exists some kind of attack that could catch SAML
assertions ?

Fabien Berteau | Security Architect


fabien.berteau at <aurelien.lajoie at>

Le jeu. 21 oct. 2021 à 15:43, Cantor, Scott <cantor.2 at> a écrit :

> On 10/21/21, 9:28 AM, "users on behalf of Fabien BERTEAU" <
> users-bounces at on behalf of fabien.berteau at>
> wrote:
> >    The main reason why I do not agree with the very principles of OIDC
> is that the access token is a bearer
> > security.
> Yes, but so is a SAML assertion (or artifact) and so are session cookies.
> And only Shibboleth even pretends the IP address ever matters.
> >    If the session cookie is HTTP only and secure, then it is out of
> scope and should be automatically loaded by
> > the browser when it is called via its XMLHTTPRequest interface.
> I actually had thought that was the point of HttpOnly, to prevent that,
> but I'm led to understand that it only prevents access via document.cookie.
> So, I guess that's somewhat rational as long as you control every last bit
> of code on that cookie's origin.
> As you can see, I'm really not the one to be assessing it, my
> understanding is many years old.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list