Shibboleth Developers

["Michael A. Grady" <>]

As Jim mentions, we found with our WebISO (Bluestem) that we had to disable 
the
IP check -- too often users were coming in from ISPs or from corporate 
settings
(doing internships) where their IP kept changing during a session.

On Thu, Jul 01, 2004 at 10:42:24AM -0600, Scott Cantor wrote:
> > My concern was that the stolen session cookie could be used
> > to hijack the user's existing session.  If there is a client
> > ip address attached to the session then this is less of a 
> > concern.  We considered doing this with pubcookie sessions
> > but decided not to for a couple of reasons: first that the client
> > might change ip addresses during a sessions, second that clients
> > behind a firewall often have the same ip address anyway.
> 
> Ok, I was just making sure that was the concern. I think it's worth noting
> that that doesn't give the evil app any attributes, unless the good app does
> something that causes them to be deducible ("Hello Scott, with EPPN X and
> Patient ID # Y"). Which is common, I admit. ;-)
> 
> As far as the IP thing, we actually have almost no services at OSU that
> disable the IP check. It comes up occasionally, but rarely. The firewall
> issue is certainly true though, at least for users all grouped at one
> location. Doesn't help the evil app either, since he's got a different
> address.
> 
> -- Scott
 
--
Michael A. Grady                                217.244.1253 
Senior Technology Architect and Strategist      217.265.5635 fax
Manager, Integration and Software Engineering
Campus Information Technologies and Educational Services (CITES)
University of Illinois at Urbana-Champaign
Rm. 105, 2212 Fox Drive, Suite C, Champaign, IL 61820