I would lean towards either generating it as an error or considering it a
new session.

The CAS Client for Java, if it sees a ticket, will treat it as a new
authentication request.

Cheers,
Scott


On Thu, May 20, 2010 at 3:25 PM, Joachim Fritschi <
[email protected]> wrote:

> One of the issues [1] that was recently opened for the phpCAS client has
> left me with a question i struggle with answering myself. The cas protocol
> definition hasn't helped me much.
>
> How should a cas client react if i submit a new [SP]T during a valid
> session and the new ticket was not explicitly requested with one of the
> clients own functions (recheck authentication with a gateway or renew call)?
>
> I have gathered a few options and have tried to analyse them below:
>
> 1. ignore the ticket
>  a) remove it from the url and log it to the debug log
>  b) ignore ticket and issue some error message that this is not supported +
> reload page button with ticket removed
> 2. validate the ticket
>  a) if valid update the session with possible new data (attributes, ticket
> info for single logout etc.)
>  b) if invalid
>     I) ignore
>     II) kill old session
>
>
> 1-b seems to be the best solution. Simple and clean. If they want to
> reauthenticated they can use one of the client supplied funtions. The
> customer gets an error and can resume the old session.
>
> 1-a is not that good since it will bury the error somewhere in the
> debuglog.
>
> 2-b-II is a really bad since it will allow a malicous user to kill your
> session with a bad ticket.
>
> That leaves the combination 2-a / 2-b-I . This is also a potential security
> hole since this will not revalidate a session but only update the
> attributes. (That should be cached by the server anyway, right ?) This might
> lead to some confusion for the users.
>
> Am i missing something? Thanks in advance for your ideas and input.
>
> Regards,
>
> Joachim
>
> [1] http://www.ja-sig.org/issues/browse/PHPCAS-61
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-dev
>

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to