Hi folks,
This message is related to this Pull Request #4426 and #4427 in CAS
6.1.2 and 6.2 version. The PR fix is working only at first login and if
all cookies are cleared after, the problem is that the JSESSIONID cookie
exist again even if you logout as it's not cleared, and so It tries to
retrieve the session/ticket from an older value and it link the
transient service ticket to the old value.
I'm guessing if someone know a way to avoid that ? I tried to find a way
to force the cookie value change but i's not really applied everywhere
(as it doesn't applied before a page is viewed), or I didn't find where
to do it. If someone have an idea feel free to purpose it !
On an other side I'm guessing if it's a good way to do ? I think it
would be better to avoid to use a cookie as in this case the session
could be retrieved on an other way. As example with SAML AuthnRequest an
ID is generated and the IDP in his response provide it (attribute
inResponseTo). So why not using this attribute and let to tomcat the
JSESSIONID cookie ? It's an idea only. After I'm not sure if this will
work in an UNSOLICITED request (I can't test it).
Any overview would be appreciated !
Thanks
Julien
--
You received this message because you are subscribed to the Google Groups "CAS
Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-dev/9a5472f5-67d6-45be-d087-5a6f8cae0cd5%40recia.fr.
