The first four use cases are described in “SAML v2.0 vs JWT: SAML2 Web Application SSO Use Cases” and “SAML v2.0 vs. The full list of SAML2 vs JWT-related blog posts can be found here.
The SAML 2.0 specification provides for logging out of a web application (Service Provider) and the Identity Provider. Basically, it allows a Principal to initiate a logout at the Id P or Service Provider(s).
If the session identifier is not reissued upon authentication, the attacker can eavesdrop and steal the identifier and then use it to hijack the session.
Testing for Session Fixation vulnerabilities: The first step is to make a request to the site to be tested (example
The attacker then causes the victim to authenticate against the server using the same session identifier, giving the attacker access to the user's account through the active session.
Furthermore, the issue described above is problematic for sites that issue a session identifier over HTTP and then redirect the user to a HTTPS log in form.
It is important that the servlet be able to associate incoming requests with particular shoppers.
As an alternative, the session ID can be conveyed to the servlet by URL rewriting, in which the session ID is appended to the URL of the servlet or Java Server Pages (JSP) file from which the user is making requests.
For example, a servlet might use sessions to provide "shopping carts" to online shoppers.
Suppose the servlet is designed to record the items each shopper indicates he or she wants to purchase from the Web site.
In that case, an attacker could steal the user session (session hijacking).
Session fixation vulnerabilities occur when: In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier.