Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-651

idp.session.consistentAddress setting is broken

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0, 3.1.0
    • Fix Version/s: 3.1.1
    • Component/s: Session
    • Labels:
      None

      Description

      The idp.session.consistentAddress property was botched. The conditional logic in the SessionManager doesn't bypass the address binding step, causing a CVE. In addition, the setting isn't used in other actions to bypass the address check, which would cause the address to be bound to the session there anyway.

        Attachments

          Activity

            People

            • Assignee:
              cantor.2@osu.edu Scott Cantor
              Reporter:
              cantor.2@osu.edu Scott Cantor
            • Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 2 hours
                2h
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 15 minutes Time Not Required
                15m