[Openid-specs-ab] Session Management: Security Considerations
Andreas Åkre Solberg
andreas.solberg at uninett.no
Wed Aug 31 11:51:58 UTC 2011
I'm referring to OpenID Connect Session Management 1.0 - draft 03.
http://openid.net/specs/openid-connect-session-1_0.html
If we consider is a user agent that logs query string parameters in history (In example Safari does).
Say that user A logs out of service X, and the service ends the session at the provider as well, this means that the ID Token of the terminated session may be present in the browser history (depending of whether the logout flow includes redirects or displays a info page…).
Say that user B logs in to service X right after, waits for the session to time out, or force the check session request by other means, and the user is redirected to the provider check session endpoint. Now user B crafts the response to this request, putting in the ID Token from user A (that is still valid!).
Now user B is authenticated as user A.
Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110831/62e52bc5/attachment.html>
More information about the Openid-specs-ab
mailing list