• A Invalidate the SSO token on server-side for subsequent use after the user logs off from any of the SSO-enabled applications/systems, that is, after Single Sign-Off.
  • B Digitally sign the SSO token to protect against man-in-the- middle manipulations, and encrypt the token with a time-variant encryption key/algorithm. Exchange the token over SSL.
  • C If the SSO token is being exchanged using an HTTP cookie, set the "HttpOnly" attribute of the cookie to prevent cookie access via client-side Javascript.
  • D All the above options
  • Share this MCQ