checkAddress
The ServiceProvider software prior to version 1.3c includes an Application-level setting in ShibbolethXml in the <Sessions> element called checkAddress , which defaults to true if not present. As of version 1.3, this setting is false in the default file distributed with the software.
...
This setting ensures that once a session cookie is issued to a client, any further use of that session cookie must be from a client with the same network address. This raises the bar for session hijackers to the level of network address spoofing, which may or may not be simple to do, but is definitely harder than stealing cookies and relies on a different set of attacking skills.
%COMMENT%