The intention is that it indicates if subsequent service tickets were vended from a remember me session. Its the client applications responsibility to determine at what point they consider a "remembered" session to be dangerous. That is purposely completely the client's responsibility.
Closing/re-opening the browser is not a good indicator when remember me should be sent. I rarely close my web browser (shocking, considering this is windows laptop) and Mac's have that resume/re-open windows state of which I don't know if that gets flagged as a closed/open or not. Public terminals may or may not have their browser closed. Cheers, Scott On Thu, Jul 19, 2012 at 11:12 AM, jleleu <lel...@gmail.com> wrote: > Hi, > > I re-started working on the remember-me feature that I'd like to see > completely working. > > First, I proposed some improvments to make CAS remember-me work on client > side for Shiro client (see https://issues.apache.org/jira/browse/SHIRO-373) > and Spring Security client (see > https://jira.springsource.org/browse/SEC-1986). The mechanism is mainly > based on the use of the renew parameter to force re-authentication on CAS > server side. I planned subsequently to do the same on Java CAS client and > some evolutions on CAS server also. > > But, Rob Winch, the leader of Spring Security, pointed me out that our > remember-me is not working very well. > > Right now, the test in Saml10SuccessResponseView class to determine if > it's a remember-me is : > final boolean isRemembered = (authentication.getAttributes() > .get(RememberMeCredentials.AUTHENTICATION_ATTRIBUTE_REMEMBER_ME) == > Boolean.TRUE && !assertion .isFromNewLogin()); > > The first part is matched by the fact that the check box "Remember-me" (on > login page) has been checked and the second part means the user has just > filled its login and password. > > That means the first application accessed is not marked in remember-me but > the second one is, even if the browser has not been closed. I would expect > to mark applications with remember-me only after a browser has been closed > and reopened. > > Before creating a JIRA and submitting a pull request to rectify this > behaviour, I would like that we all agree on the definition of what > remember-me is in CAS. > > Thanks. > Best regards, > Jérôme > > -- > You are currently subscribed to cas-dev@lists.jasig.org as: > scott.battag...@gmail.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-dev > -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
