Shibboleth Developers

[Scott Cantor <>]

> My concern was that the stolen session cookie could be used
> to hijack the user's existing session.  If there is a client
> ip address attached to the session then this is less of a 
> concern.  We considered doing this with pubcookie sessions
> but decided not to for a couple of reasons: first that the client
> might change ip addresses during a sessions, second that clients
> behind a firewall often have the same ip address anyway.

Ok, I was just making sure that was the concern. I think it's worth noting
that that doesn't give the evil app any attributes, unless the good app does
something that causes them to be deducible ("Hello Scott, with EPPN X and
Patient ID # Y"). Which is common, I admit. ;-)

As far as the IP thing, we actually have almost no services at OSU that
disable the IP check. It comes up occasionally, but rarely. The firewall
issue is certainly true though, at least for users all grouped at one
location. Doesn't help the evil app either, since he's got a different
address.

-- Scott