You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+4-5Lines changed: 4 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -156,9 +156,9 @@ a trusted and expected URL.
156
156
157
157
Read more about Open Redirect [CWE-601](https://cwe.mitre.org/data/definitions/601.html).
158
158
159
-
### Avoiding Reply attacks ###
159
+
### Avoiding Replay attacks ###
160
160
161
-
A reply attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO).
161
+
A replay attack is basically try to reuse an intercepted valid SAML Message in order to impersonate a SAML action (SSO or SLO).
162
162
163
163
SAML Messages have a limited timelife (NotBefore, NotOnOrAfter) that
164
164
make harder this kind of attacks, but they are still possible.
@@ -169,8 +169,7 @@ we don't need to store all processed message/assertion Ids, but the most recent
169
169
170
170
The OneLogin_Saml2_Auth class contains the [get_last_request_id](https://github.com/onelogin/python-saml/blob/00b1f823b6c668b0dfb5e4a40d3709a4ceb2a6ae/src/onelogin/saml2/auth.py#L352), [get_last_message_id](https://github.com/onelogin/python-saml/blob/00b1f823b6c668b0dfb5e4a40d3709a4ceb2a6ae/src/onelogin/saml2/auth.py#L359) and [get_last_assertion_id](https://github.com/onelogin/python-saml/blob/00b1f823b6c668b0dfb5e4a40d3709a4ceb2a6ae/src/onelogin/saml2/auth.py#L366) methods to retrieve the IDs
171
171
172
-
Checking that the ID of the current Message/Assertion does not exists in the lis of the ones already processed will prevent reply
173
-
attacks.
172
+
Checking that the ID of the current Message/Assertion does not exists in the lis of the ones already processed will prevent replay attacks.
174
173
175
174
176
175
Getting Started
@@ -988,7 +987,7 @@ The ``x509certMulti`` is an array with 2 keys:
988
987
989
988
### Replay attacks ###
990
989
991
-
In order to avoid reply attacks, you can store the ID of the SAML messages already processed, to avoid processing them twice. Since the Messages expires and will be invalidated due that fact, you don't need to store those IDs longer than the time frame that you currently accepting.
990
+
In order to avoid replay attacks, you can store the ID of the SAML messages already processed, to avoid processing them twice. Since the Messages expires and will be invalidated due that fact, you don't need to store those IDs longer than the time frame that you currently accepting.
992
991
993
992
Get the ID of the last processed message/assertion with the ``get_last_message_id``/``get_last_assertion_id method`` of the ``Auth`` object.
0 commit comments