Assurance

["Cantor, Scott" <>]

On 8/8/12 1:16 PM, "Russell J Yount" 
<>
 wrote:

> 
>Shouldn¹t the scenarios of  an attacker creating a cookie and its
>contents, places it in the browser cache, then visits the IDP which
>recognizes the cookie
> as a valid session be addressed also?
> 
>SSL only addresses the security of the communications between browser and
>IdP.  There are other techniques  employed to prevent the use of a
>non-IdP created
> cookie that could fool the IdP into believing the browser has an
>authenticated session.

Which ones do you think should be required? What if a product out there
doesn't do some of them? I ask that because I know it's true.

It's a somewhat dangerous road to go down, that's all I'm saying.

-- Scott