[Openid-specs-ab] Session Management: Security Considerations
Andreas Åkre Solberg
andreas.solberg at uninett.no
Thu Sep 1 20:36:30 UTC 2011
On 1. sep.2011, at 19:56, John Bradley wrote:
> I think you are referring to XSRF protection for the Refresh Session endpoint.
>
> Check Session is a direct POST from the client to the Check Session endpoint, for a web server client that would not go through the browser.
You're right, I did a typo; I meant the refresh session endpoint (not the check session endpoint).
However, my concern was not about XSRF. (that is sort of handled by the state, right?)
My concern is that: you may log in and out again on your computer; and there may be a 'valid ID Token JWT' in your browser log (the JWT is not invalidated when you log out), which means that when I borrow your PC afterwards, I can get access to that token, and use it to update my own session (to be authenticated as you) - at the RP.
Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110901/385fe1ae/attachment.html>
More information about the Openid-specs-ab
mailing list