Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IdP sessions are by default bound to an "address" in order to prevent trivial session takeover simply through session cookie exposure. This can be disabled via the Idp.session.consistentAddress property or relaxed in various ways through the idp.session.consistentAddressCondition extension point. It is deeply ill-advised to simply disable this checking entirely and it deeply quite unsafe to operate networks that hide a plethora of clients behind a single address.

...