Hi, I have a question about ST expiration policy. Based on my need, ST can only be used once and I set it to expire 30 seconds from the time it is created.
SSO is running as seperate web app while client applications run on separate server. SSO creates ST and redirects to Client app and the filter from the client app sends the validate request to SSO to verify ST. This is all working great when there is no network delay involved. My application has global user presence. Under certain circumstances, the users validate request is taking considerable time to make it back to SSO. Sometimes up to 3minutes. But this is only 10% of my userbase. Based on this I can not change the ST validity to 3 minutes because, for the 3 minute time period I will be making my application insecure should some one get hold of that ST. But I did not find any other way of securely transferring the ST to the client application thus minimizing the risk of compromising security. Any ideas please? I saw CAS comes with POST option, but in the code I see it only posts to a page within CAS Web app. This is acceptable to my application flow. User has to seamlessly go to the client application he is trying to reach without having to click again. Thanks Madhavi -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
