Assertion replay

Risks

• If an assertion is captured by an attacker, it can be replayed to an RP to gain entry to that site and impersonate a user there.

Mitigations

• assertions are only valid for 2 minutes
• we recommend that sites send the assertion to their backend over HTTPS
• verifiers could keep track of assertions they have seen in the last 2-3 minutes (verifier.login.persona.org doesn't do that)

Notes

Typically, on HTTP-only sites, attackers can already steal session cookies. The ability to create a new session after stealing an assertion is more useful since it allows the attacker to keep going after the real user logs out of the site with his/her session.