Shibboleth Developers

["Scott Cantor" <>]

> Address checking is not enabled by default, and I can understand why
> (especially after I spent a couple of weeks with a bad 3G/GPRS/etc
> connection this summer). All the same, our guides recommend it.

You're mixing up two settings. I'm talking about consistentAddress, not
checkAddress. They're very different, and consistentAddress should generally
not be disabled and rarely needs to be.

> If I operated large LANs (as most universities do), I'd be concerned about
> the session stealing problem above.

Does any system that issues cookie-backed sessions do what you're talking
about? Java? ASP? PHP? If not, I really can't see starting with mine...

> I can understand that dealing with Apache request handling is more than
> ugly. Still I think that hiding Shib session cookie from applications
would
> improve the security of the SP - even though I haven't heard of such
attacks
> yet.

It's not more than ugly, it's virtually impossible. The spoof checking works
mainly because it operates in reverse: I can be conservative about checking
and assume that the clearing mechanism works as intended anyway. So it tries
to skip the check in a wide range of scenarios, since any check in a
subrequest would be a false positive.

What you're suggesting would clear the cookie and fail with *any*
subrequests at all, and that would break a large percentage of the time.
Often in very unusual and hard to predict cases.

What *might* work, and only on some versions of Apache, is to internally set
up some state to inherit the session information across the subrequest
boundary, but it's a fairly substantial and error prone change. So I'd go
back to my question above: is this *really* something systems do?

-- Scott