Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


IdP sessions are by default bound to an "address" in order to prevent trivial session takeover simply through session cookie exposure. This can be disabled via the Idp.session.consistentAddress property or relaxed in various ways through the idp.session.consistentAddressCondition extension point. It is deeply ill-advised to simply disable this checking entirely and it deeply unsafe to operate networks that hide a plethora of clients behind a single address.

The latter extension point relies on supplying a BiPredicate (a condition that takes two inputs). The first parameter is the address string to which the session is already bound, and the second parameter is the address string that is being tested/evaluated for “equivalence” with the first parameter. That is, the default implementation of this simply compares the two strings for equality.

One existing implementation of this feature is the IPRangeBiPredicate class, which is configured with a number of IPRange objects, and will consider the two input strings “equivalent” if they both fall into one of the supplied ranges.

The session address binding layer supports simultaneous binding of sessions to both IPv4 and IPv6 addresses so clients may use both types and float between them.