Uploaded image for project: 'Shibboleth Discovery Service - Java'
  1. Shibboleth Discovery Service - Java
  2. SDSJ-90

Hardening the '_saml_idp' cookie in the centralized DS

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.1.2
    • Fix Version/s: 1.1.3
    • Labels:
      None
    • Java Version:
      Sun 1.5
    • Servlet Container:
      Jetty 7

      Description

      Note the following issues with respect to the '_saml_idp' cookie used in the centralized DS:

      * In the SamlCookiePlugin class, the static getCookie method should take into account the path and domain in addition to the cookie name
      * The SamlCookiePlugin constructor should ensure that the configured 'cacheDomain' attribute has a leading dot as required by RFC 2965
      * The '_saml_idp' cookie used by the CDS is not marked as 'secure' (is this a security vulnerability?)
      * The 'cacheDomain' configuration property is an undocumented feature but I think it should be documented since it allows the deployer to configure a centralized DS such that the '_saml_idp' cookie is equivalent to the so-called common domain cookie. Out of the box, the '_saml_idp' cookie defaults to the request-host (not a common domain).

        Attachments

          Activity

            People

            • Assignee:
              rdw@steadingsoftware.com Rod Widdowson
              Reporter:
              trscavo Tom Scavo (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: