Anti-xsrf plus opt-out for WsFed

[Tratcher]

WsFed has historically not used anti-xsrf cookies because it supports unsolicited logins. However anti-xsrf cookies could be used if there was an opt-out option for applications that required support for unsolicited logins.
#1441 (comment)

@brentschmaltz how common is it for apps to rely on unsolicited logins?

[kevinchalet]

@brentschmaltz how common is it for apps to rely on unsolicited logins?

Common or not, it should definitely be opt-out. XSRF/session fixation attacks are too dangerous to ignore them by default.

[kevinchalet]

BTW, it might be interesting to backport such a security feature to Katana 4 😅

[Tratcher]

Frequency matters because if all apps need to allow unsolicited logins then this feature is counter productive.

[kevinchalet]

Luckily, not all apps need IdP or third-party initiated login (which is not the most common case from what I can say based on my own experience).

JSYK, the OASIS committee decided in 2012 to add an errata to the SAML2 specification to encourage implementations to offer a way to reject unsolicited assertions when it became clear that it represented a real security threat:

Note that the use of unsolicited responses can lead to Cross-Site Request Forgery (CSRF) vulnerabilities due to the inability to ensure that a request from the client originated the SAML profile transaction. Service providers SHOULD have a means of disabling the acceptance of unsolicited responses if circumstances warrant. The use of solicited responses may also be vulnerable to such attacks, the use of cookies to correlate the issuance of SAML requests and responses with the same client being one possible solution. However, if unsolicited respones cannot be prevented, no improvement to the solicited case will be of use.

http://docs.oasis-open.org/security/saml/v2.0/errata05/os/saml-v2.0-errata05-os.html

WS-Fed's unsolicited responses feature works exactly the same way so the same attack vector unfortunately applies.

I'm tempted to think it would be better to make it safe by default.

[blowdart]

damnit I agree with @PinpointTownes

[kevinchalet]

damnit I agree with @PinpointTownes

We really need to do something to stop that...

[Tratcher]

Offline notes: @brentschmaltz also swore and agreed with @PinpointTownes.

[brentschmaltz]

@Tratcher I did :-)