Details
-
Suggestion
-
Resolution: Not a bug
-
None
Description
Problem Definition
Currently Crowd uses an SSO domain such as *.domain.com to validate cookies against different applications. This can expose the Overly broad session cookie domain vulnerability.
Suggested Solution
As recommended in that article, the application could use the user's IP address.
Workaround
Disable SSO