[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] preserving query parameters in AssertionConsumerServiceURL
>> This will increase the risk of potential Denial of Service (DoS) attacks >> because even without any authentication you store something in a session >> or in a database, etc. Another point, solely based on the original example/question, is that it's also a bad idea to ever pass actual session ID material around to the IdP and back anyway, especially in a redirect, since that gets logged all over. That opens up the session back at the SP to lots of attack vectors, given the stupidity of how most server-side sessions are implemented by application servers. Lack of address checking, for example. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]