[Openid-specs-ab] Session Management: Security Considerations
Breno de Medeiros
breno at google.com
Thu Sep 1 18:06:42 UTC 2011
On Thu, Sep 1, 2011 at 10:56, John Bradley <ve7jtb at ve7jtb.com> wrote:
> I think you are referring to XSRF protection for the Refresh Session
> endpoint.
I am talking about XSRF protection for all places in the client where
they accept id_tokens (or access_tokens for that matter).
> Check Session is a direct POST from the client to the Check Session
> endpoint, for a web server client that would not go through the browser.
> John
> On 2011-08-31, at 8:51 AM, Andreas Åkre Solberg wrote:
>
> I'm referring to OpenID Connect Session Management 1.0 - draft 03.
> http://openid.net/specs/openid-connect-session-1_0.html
> If we consider is a user agent that logs query string parameters in history
> (In example Safari does).
> Say that user A logs out of service X, and the service ends the session at
> the provider as well, this means that the ID Token of the terminated session
> may be present in the browser history (depending of whether the logout flow
> includes redirects or displays a info page…).
> Say that user B logs in to service X right after, waits for the session to
> time out, or force the check session request by other means, and the user is
> redirected to the provider check session endpoint. Now user B crafts the
> response to this request, putting in the ID Token from user A (that is still
> valid!).
> Now user B is authenticated as user A.
> Andreas
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
--
--Breno
More information about the Openid-specs-ab
mailing list