Identity/Security/Replay attacks
From MozillaWiki
Assertion replay
Risks
- If an assertion is captured by an attacker, it can be replayed to an RP to gain entry to that site and impersonate a user there.
Mitigations
- assertions are only valid for 2 minutes
- we recommend that sites send the assertion to their backend over HTTPS
- verifiers could keep track of assertions they have seen in the last 2-3 minutes (verifier.login.persona.org doesn't do that)
Notes
Typically, on HTTP-only sites, attackers can already steal session cookies. The ability to create a new session after stealing an assertion is more useful since it allows the attacker to keep going after the real user logs out of the site with his/her session.