Shibboleth Identity Provider Security Advisory [18 July 2011] Multi-Session Information Leakage ================================ In order to carry environmental information (e.g., IP address) not directly linked to a user's identity but available only at authentication time some sites have developed custom login handlers that place this additional information in the user's session. This information is then, often, retrieved by the attribute resolver and used in some manner. If a user logs in to the IdP from multiple user-agents, and thus establishes multiple, concurrent sessions and the service provider queries for attributes about the user, only the information from the first established session will be available to the resolver. As an example, if the IP address of the client is stored in the first session and the user then logs in from a different user agent with a different IP address only the initial IP address will be visible during an attribute query. Affected Versions ================= Shibboleth IdP v2.1.0 and later Recommendations =============== Do not use attribute queries in conjunction with session information that is not directly tied to user authentication. Instead, consider pushing attributes during SSO. Credits ======= Manuel Haim, Philipps-Universität Marburg URL for this Security Advisory: http://shibboleth.internet2.edu/secadv/secadv_20110718.txt