Hi all,
we are currently using CAS 5.3.3 and recently expierienced that a user is
able to create multiple SSO sessions (Ticket granting tickets) by doing the
following:
1. Open one service (SERVICE_1) which is using the CAS SSO in one tab
(TAB_1). The user is then redirected to the CAS Login page but *does not
login* yet!
2. Open another service (SERVICE_2) which is using the CAS SSO in a second!
tab (TAB_2). The user is then redirected to the CAS Login page, logs in and
is redirected to the service. CAS creates a SSO session with the
authenticated service (SERVICE_1).
3. Go back to TAB_1 and login. CAS creates a second SSO session with the
authenticated service (SERVICE_2)
As result *two *sessions exist. This is a behaviour we didn't expect. Since
we are also using the single logout this result in the problem that when
logging off only one of the SSO sessions is terminated and as consequence
the BACK_CHANNEL logout request is only send to one service and the user is
still logged on at the other.
Technically we saw that the existing TGT cookie is actually ignored when
submitting the user credentials if it didn't exist when opening the login
page.
For now we solved this by changing the login-webflow.xml to make sure that
the initialFlowSetupAction is also executed when submitting the user
credentials:
<view-state id="viewLoginForm" view="casLoginView" model="credential">
<binder>
<binding property="username" required="true"/>
<binding property="password" required="true"/>
</binder>
<transition on="submit" bind="true" validate="true"
to="initialFlowSetupAction" history="invalidate"/>
</view-state>
<action-state id="initialFlowSetupAction">
<evaluate expression="initialFlowSetupAction"/>
<transition on="success" to="checkTicket"/>
</action-state>
<action-state id="checkTicket">
<evaluate expression="ticketGrantingTicketCheckAction"/>
<transition on="valid" to="hasServiceCheck"/>
<transition on="invalid" to="realSubmit"/>
<transition on="notExists" to="realSubmit"/>
</action-state>
<action-state id="realSubmit">
<evaluate expression="authenticationViaFormAction"/>
<transition on="warn" to="warn"/>
<transition on="success" to="createTicketGrantingTicket"/>
<transition on="successWithWarnings"
to="showAuthenticationWarningMessages"/>
<transition on="authenticationFailure"
to="handleAuthenticationFailure"/>
<transition on="error" to="initializeLoginForm"/>
</action-state>
However we are wondering if this behaviour of CAS is intended and if yes,
what are the reasons behind it.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/4e1b5ae3-cb16-4bb8-8eb2-45be5f5e71e1%40apereo.org.
