[Openid-specs-ab] Session Management: Security Considerations
Breno de Medeiros
breno at google.com
Wed Aug 31 17:22:42 UTC 2011
The check session endpoint MUST validate browser session matches the id_token.
>
>
> ---------- Forwarded message ----------
> From: Andreas Åkre Solberg <andreas.solberg at uninett.no>
> Date: 2011/8/31
> Subject: [Openid-specs-ab] Session Management: Security Considerations
> To: openid-specs-ab at lists.openid.net
>
>
> I'm referring to OpenID Connect Session Management 1.0 - draft 03.
> http://openid.net/specs/openid-connect-session-1_0.html
> If we consider is a user agent that logs query string parameters in
> history (In example Safari does).
> Say that user A logs out of service X, and the service ends the
> session at the provider as well, this means that the ID Token of the
> terminated session may be present in the browser history (depending of
> whether the logout flow includes redirects or displays a info page…).
> Say that user B logs in to service X right after, waits for the
> session to time out, or force the check session request by other
> means, and the user is redirected to the provider check session
> endpoint. Now user B crafts the response to this request, putting in
> the ID Token from user A (that is still valid!).
> Now user B is authenticated as user A.
> Andreas
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
--
--Breno
More information about the Openid-specs-ab
mailing list