Juan, The session id is managed by tomcat. If this happened once, then it could be chalked up to coincidence. But that does not sound like the case. You might try tomcat forums. In the mean time you could try changing jsessionid to something else (jsessionidcas) to avoid potential conflicts with other tomcat sessions. (All CAS servers in the cluster need the same setting.) It can be set in application's web.xml or in tomcat, see https://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes.
Ray On Tue, 2018-09-04 at 20:48 +0000, Juan Quintanilla wrote: Hi, We recently encountered an interesting issue with our CAS Implementation, in a few rare cases we have had some users report when logging into a client application (Canvas) they were logged in as another user In brief User A attempts to login with auto saved password and user B was also logging in around same time as user A. When user A is logged in they see Users B information. After taking a look at the audit logs we noticed that when User A was logging in there was no Login entry they were given a Service ticket with their IP and user B username as if they had already authenticated. User B we did see the login authentication and ST and TGT ticket created under their IP, but we later saw that the TGT was destroyed under user A ip. Also looking in the access logs I found that for this particular case the 2 users had the same JSESSIONID. 99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] "GET /cas/login?service=https%3A%2F%2Ffiu.instructure.com%2Flogin%2Fcas HTTP/1.1" 200 5830 99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] "GET /cas/themes/olcanvas1/app.js HTTP/1.1" 200 526 99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] "GET /cas/themes/olcanvas1/cas.css HTTP/1.1" 200 8796 99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] "GET /cas/themes/olcanvas1/images/fiu_logo.png HTTP/1.1" 200 12186 99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:28 -0400] "GET /cas/favicon.ico;jsessionid=0C6DC0B7927A4024EFA762D90E1BCF69 HTTP/1.1" 200 3262 c-98-254-138-84.hsd1.fl.comcast.net - - [02/Sep/2018:12:20:30 -0400] "POST /cas/login;jsessionid=0C6DC0B7927A4024EFA762D90E1BCF69?service=https%3A%2F%2Ffiu.instructure.com%2Flogin%2Fcas HTTP/1.1" 302 - - - - [31/Dec/1969:18:59:59 -0500] "-" 505 - So my question would be what might cause this to happen? Could the fact that they had the same jsessionid cause the use to login as the other user? ___________________ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- Ray Bon Programmer analyst Development Services, University Systems 2507218831 | CLE 019 | r...@uvic.ca -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1536255620.2801.9.camel%40uvic.ca.