Hi, You have the following property/option: *cas.tgc.pinToSession* (true by default) to attach the IP and user-agent to the SSO session. In most cases, it's the right choice, but you may want to disable that behavior. Thanks. Best regards, Jérôme
Le mardi 28 janvier 2020 11:46:57 UTC+1, Andy Ng a écrit : > > Hi Justin, > > Nice that you think of a workaround! > > I think it is strange that ticket granting ticket containing user agent... > > Therefore, I have go ahead and done some additional digging and found the > following: > > https://github.com/apereo/cas/blob/v5.3.7/core/cas-server-core-cookie-api/src/main/java/org/apereo/cas/web/support/DefaultCasCookieValueManager.java#L58 > > > Seems to me that, instead of the TGT containing user agent, is that the > cookie manager will not allow cookie created under differnet user agent. > > @Override > protected String obtainValueFromCompoundCookie(final String cookieValue, > final HttpServletRequest request) { > val cookieParts = Splitter.on(String.valueOf(COOKIE_FIELD_SEPARATOR)). > splitToList(cookieValue); > if (cookieParts.isEmpty()) { > throw new IllegalStateException("Invalid empty cookie"); > } > val value = cookieParts.get(0); > if (!cookieProperties.isPinToSession()) { > LOGGER.trace("Cookie session-pinning is disabled. Returning cookie value > as it was provided"); > return value; > } > if (cookieParts.size() != COOKIE_FIELDS_LENGTH) { > throw new IllegalStateException("Invalid cookie. Required fields are > missing"); > } > val remoteAddr = cookieParts.get(1); > val userAgent = cookieParts.get(2); > if (Stream.of(value, remoteAddr, userAgent).anyMatch(StringUtils::isBlank)) > { > throw new IllegalStateException("Invalid cookie. Required fields are empty > "); > } > val clientInfo = ClientInfoHolder.getClientInfo(); > if (!remoteAddr.equals(clientInfo.getClientIpAddress())) { > throw new IllegalStateException("Invalid cookie. Required remote address " > + remoteAddr + " does not match " + clientInfo.getClientIpAddress()); > } > val agent = HttpRequestUtils.getHttpServletRequestUserAgent(request); > if (!userAgent.equals(agent)) { > throw new IllegalStateException("Invalid cookie. Required user-agent " + > userAgent + " does not match " + agent); > } > return value; > } > > > Have you see the above error (*Invalid cookie. Required user-agent....*) > in your CAS error log? If so then it would justified my theory. > > Still, I don't think it is wise to touch on that part of the source code, > but it is always good to know in case you need to actually make support on > the legacy service for cross compatibility and main browser. > > Cheers! > - Andy > > > > > > > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4cd1f0fa-6eb8-4bb3-ab59-c3dc57b623a7%40apereo.org.
