shibboleth-dev - RE: Multiple targets in a single domain?

Subject: Shibboleth Developers

List archive

RE: Multiple targets in a single domain?

From: Jim Fox <>
To: Scott Cantor <>
Cc: "'Diego R. Lopez'" <>,
Subject: RE: Multiple targets in a single domain?
Date: Thu, 1 Jul 2004 09:33:00 -0700 (PDT)

On Thu, 1 Jul 2004, Scott Cantor wrote:

However, I'd like to clarify something...I didn't think the attack Jim was
concerned about involved one application obtaining another application's
session key for a user, except in the case where it would then impersonate
the user (which would require IP spoofing or disabling the IP check).

My concern was that the stolen session cookie could be used
to hijack the user's existing session. If there is a client
ip address attached to the session then this is less of a concern. We considered doing this with pubcookie sessions
but decided not to for a couple of reasons: first that the client
might change ip addresses during a sessions, second that clients
behind a firewall often have the same ip address anyway.

Jim

Re: Multiple targets in a single domain?, Diego R. Lopez, 07/01/2004
- RE: Multiple targets in a single domain?, Scott Cantor, 07/01/2004
  - RE: Multiple targets in a single domain?, Jim Fox, 07/01/2004
    - RE: Multiple targets in a single domain?, Scott Cantor, 07/01/2004
      - RE: Multiple targets in a single domain?, Jim Fox, 07/01/2004
        
        RE: Multiple targets in a single domain?, Scott Cantor, 07/01/2004
        
        RE: Multiple targets in a single domain?, Paul B. Hill, 07/01/2004
      - Re: Multiple targets in a single domain?, Michael A. Grady, 07/01/2004
        
        Re: Multiple targets in a single domain?, Jim Fox, 07/01/2004
        
        RE: Multiple targets in a single domain?, Scott Cantor, 07/01/2004

List archive

RE: Multiple targets in a single domain?