Shibboleth Developers

["RL 'Bob' Morgan" <>]

On Wed, 19 Oct 2005, Scott Cantor wrote:

> > No, the threat I worry about is cookie theft, which is much easier. 
> > Browsers don't do a good job of protecting against that, bugs there 
> > crop up constantly. An IP check is an order of magnitude harder to beat 
> > than exploiting the bug of the week in IE is.

Right, there has been some discussion of cookie theft here recently, in 
the context of our big all-comers web servers (staff.washington.edu, 
students., etc), where of course cookie theft would be easy with hostile 
javascript to permit getting to another user's site on the same server. 
In fact it appears that we are going to move to a 
<netid>.foo.washington.edu naming scheme to protect against this.

> I should point out that this is more of a consequence of implementation 
> than anything else. I could have (and maybe I should) split the settings 
> up so that you could disable the IdP vs SP address check during initial 
> sign on but still lock the session cookie down to one address.
>
> I equated them because in my experience it's not an IdP vs SP problem but
> more of a problem with a user behind a proxy that's changing the address all
> the time, so when we've had to disable it, it's been for both purposes.
>
> Sounds like your scenario of local campus NAT might justify splitting them
> up for the next version.

Yah, it occurred to me also that an SP-only address check might be useful, 
though if those AOL-type proxies are a concern, a site couldn't turn that 
on either.  But I'm sure some sites would find it worth the tradeoff.

 - RL "Bob"