Hi All,
I  have a question regarding the security of the TGT cookie in CAS.
For CAS communications we are using https. All redirects using post instead
of get.
I can see CAS client is doing a tampering validation with the service
ticket.
But if somehow i can obtain a TGT cookie(its not encrypted) from database(we
are using JPATicketRegistry),
when first request goes to CAS with gateway=true  I can use tamper data and
edit cookie to include
CASTGC=TGT-432-sGScVyV7TfwaLWeDpCmEdim2twNCmPtB0bsrdfzi4ZavvwZTgA-cas
in the Header so that CAS will correctly validate in and login.is there any
way to prevent hacking of tickets other than restricting acess for the
tables from DB side.
Is there any encryption possible by configuration in CAS.
Regards
Hari

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to