Skip to Content.
Sympa Menu

assurance - Re: [Assurance] Addressing InCommon IAP & Shibboleth IdP

Subject: Assurance

List archive

Re: [Assurance] Addressing InCommon IAP & Shibboleth IdP


Chronological Thread 
  • From: "Cantor, Scott" <>
  • To: "" <>
  • Subject: Re: [Assurance] Addressing InCommon IAP & Shibboleth IdP
  • Date: Wed, 8 Aug 2012 17:28:07 +0000
  • Accept-language: en-US

On 8/8/12 1:16 PM, "Russell J Yount"
<>
wrote:

>
>Shouldn¹t the scenarios of an attacker creating a cookie and its
>contents, places it in the browser cache, then visits the IDP which
>recognizes the cookie
> as a valid session be addressed also?
>
>SSL only addresses the security of the communications between browser and
>IdP. There are other techniques employed to prevent the use of a
>non-IdP created
> cookie that could fool the IdP into believing the browser has an
>authenticated session.

Which ones do you think should be required? What if a product out there
doesn't do some of them? I ask that because I know it's true.

It's a somewhat dangerous road to go down, that's all I'm saying.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page