No subject

Then=20
the session cookie is transmitted unencryptedly, so anybody underway may =
see=20
it. However, Shibboleth has the 'consistentAddress' checking, which =
only=20
allows cookies originating from the same (consistent) IP address, so an=20
attacker must also forge the IP address to steal the user's session.

Kristof

_______________________________________________
shib_auth mailing list
shib_auth at listserv.niif.hu
https://listserv.niif.hu/mailman/listinfo/shib_auth

 E-MAIL DISCLAIMER=0A =0AThis e-mail and any attachments are intended for t=
he named recipient only and are to be treated as confidential unless the Col=
lege agrees otherwise. If you are not the intended recipient, please notify =
the sender immediately deleting this e-mail without making copies or using i=
t in any way. The College may be legally obliged to disclose e-mail communic=
ations in a response to a legitimate request pursuant to both the Freedom of=
 Information Act 2000 and the Data Protection Act 1998. City College Plymout=
h reserves the right to monitor, in accordance with its legal obligations, a=
ny and all aspects of its e-mail system, including the content of e-mails re=
ceived, but will not do so routinely. City College Plymouth cannot guarantee=
 that this e-mail or any attachments to it are virus free and does not accep=
t any liability for any damage, costs or loss resulting from any virus infec=
tion. Any views expressed in the message are those of the sender and may not=
 necessarily reflect the views of the College.

--=__Part624D2B9A.0__=
Content-Type: text/html; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Description: HTML

<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-15" http-equiv=3DContent-Typ=
e>
<META name=3DGENERATOR content=3D"MSHTML 9.00.8112.16421"></HEAD>
<BODY style=3D"MARGIN: 4px 4px 1px; FONT: 10pt Segoe UI">
<DIV>Hi Kristof, </DIV>
<DIV>That makes sense, I will put that forward to them. I told them =
similar but they said I was wrong. Thanks for clearing it up I will give =
it ago. </DIV>
<DIV>&nbsp;</DIV>
<DIV>Luke<BR><BR>&gt;&gt;&gt; Kristof Bajnok &lt;bajnokk at niif.hu&gt; =
29/06/2011 06:14 &gt;&gt;&gt;<BR>On 2011. June 28. 20:39:43 Luke Cameron =
wrote:<BR>&gt; have setup the SP like normal with HTTPS enabled, but the =
web developer<BR>&gt; wants them to login to Shib over HTTPS then redirect =
them back to HTTP but<BR>&gt; when I try this in a test environment it =
wont work it shows them logged<BR>&gt; out again. <BR><BR>This is most =
probably because your Shibboleth SP does not protect the <BR>unencrypted =
HTTP requests. Look for 'handlerSSL' parameter in shibboleth.xml.<BR><BR>Ac=
cording to <BR><A href=3D"https://wiki.shibboleth.net/confluence/display/SH=
IB2/NativeSPSessions">https://wiki.shibboleth.net/confluence/display/SHIB2/=
NativeSPSessions</A> , this <BR>setting defaults to true, so you have to =
disable it.<BR><BR><BR>&gt; Can some confirm this is correct or a way of =
doing what the web<BR>&gt; developer wants to do.<BR><BR>From the security =
point of view, it undoubtedly weakens the protection. Then <BR>the session =
cookie is transmitted unencryptedly, so anybody underway may see <BR>it. =
However, Shibboleth has the 'consistentAddress' checking, which only =
<BR>allows cookies originating from the same (consistent) IP address, so =
an <BR>attacker must also forge the IP address to steal the user's =
session.<BR><BR>Kristof<BR><BR>____________________________________________=
___<BR>shib_auth mailing list<BR>shib_auth at listserv.niif.hu<BR><A =
href=3D"https://listserv.niif.hu/mailman/listinfo/shib_auth">https://listse=
rv.niif.hu/mailman/listinfo/shib_auth</A><BR></DIV>
<br>=
<br>=
</BODY></HTML>

--=__Part624D2B9A.0__=--