Shibboleth Identity Provider Security Advisory [18 July 2011]

Multi-Session Information Leakage
================================
In order to carry environmental information (e.g., IP address) not directly
linked to a user's identity but available only at authentication time some
sites have developed custom login handlers that place this additional
information in the user's session.  This information is then, often, retrieved
by the attribute resolver and used in some manner.

If a user logs in to the IdP from multiple user-agents, and thus establishes
multiple, concurrent sessions and the service provider queries for attributes
about the user, only the information from the first established session will be
available to the resolver.

As an example, if the IP address of the client is stored in the first session
and the user then logs in from a different user agent with a different IP 
address only the initial IP address will be visible during an attribute query.


Affected Versions
=================
Shibboleth IdP v2.1.0 and later


Recommendations
===============
Do not use attribute queries in conjunction with session information that is
not directly tied to user authentication.  Instead, consider pushing attributes
during SSO.


Credits
=======
Manuel Haim, Philipps-Universität Marburg


URL for this Security Advisory:
http://shibboleth.internet2.edu/secadv/secadv_20110718.txt