On Fri, 21 Oct 2016, Yan Zhou wrote:
Hello,
It was said that the TGT cookie (TGC) is hidden, so that we won't see it.
I am curious how browser can send such hidden cookie to CAS, when user goes
to apps? If browser can see it, there should be a way for us to see it.
The reason I am asking is because I noticed that Ajax XhrRequest does not
seem to send TGC cookie in some circumstances, so I need to investigate.
The TGC is set by the CAS server using the domain of the CAS server. For
example, my CAS server is at https://login.oregonstate.edu/cas/ and the
TGC has a domain of "login.oregonstate.edu" and a path of "/cas". The
browser will only send the cookie to the CAS, not the CAS client.
The TGC persists the SSO session. It is not used by client applications.
They receive a Service Ticket (ST) appended to the URL and validate the ST
by calling CAS's /serviceValidate endpoint.
A more complete description of this can be found at:
https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html
Thanks,
Andy
