Hi all, I wanted to get some list input about the behavior users experience when visiting /cas/login with no service parameter. We've determined that the following somewhat confusing behaviors occur:
1. When accessing /cas/login over a non-SSL URL, users are always presented with the CAS login form, even if the user has a currently-valid CAS session. 2. When accessing /cas/login over SSL, once a user has logged into CAS, s/he always is presented with the generic login success page, even if the user's TGT has expired. This screen appears to be presented until the user's browser is restarted. Just to be clear, the behavior I'm describing doesn't seem to have any implications for security, and users are never successfully authenticated to services without a valid TGT. The concern is merely that the behavior might be confusing to users or implementers who visit the login URL without a service parameter. We've confirmed this behavior against the 3.4.2.1 release, though I would imagine the behavior occurs in other releases as well. >From my analysis of the code, it looks like both these behaviors result from >the way cookies are handled in the browser. When you first visit /cas/login, >the CAS webflow checks to see if you have a TGT (ticket granting ticket) ID >saved as a cookie. If the cookie was found, the flow then checks to see if a >service was specified. If no service parameter exists, the flow 1. Check presence of TGT cookie. If no cookie was found, send the user to the login page. If a cookie exists, check the service. 2. If no service was found, display the "generic success" page (that's the one that says your login was successful). If a service was found, attempt to get a service ticket for the service. The code doesn't check to see whether the TGT ID corresponds to a currently-valid TGT until it gets to the step of attempting to get a service ticket. Since the cookie sticks around until either you actively log out of CAS or close your browser, if you don't specify a service, you'll see the generic login success message even if your session has expired. The non-SSL (8080) version of CAS never displays the generic login message because the TGT cookie as marked as "secure." As a result, that ticket never gets set over an insecure connection. Is this behavior that the CAS community would consider a bug? Should I file a JIRA? - Jen -- Jen Bourey Software Developer Unicon, Inc. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
