Awesome, thanks for all the feedback guys. Very much appreciated. Get Outlook for Android<https://aka.ms/ghei36>
________________________________ From: [email protected] <[email protected]> on behalf of leleuj <[email protected]> Sent: Tuesday, January 28, 2020 5:59:55 AM To: CAS Community <[email protected]> Subject: [cas-user] Re: Double Login for Mozilla 4.0 User Agent Hi, You have the following property/option: cas.tgc.pinToSession (true by default) to attach the IP and user-agent to the SSO session. In most cases, it's the right choice, but you may want to disable that behavior. Thanks. Best regards, Jérôme Le mardi 28 janvier 2020 11:46:57 UTC+1, Andy Ng a écrit : Hi Justin, Nice that you think of a workaround! I think it is strange that ticket granting ticket containing user agent... Therefore, I have go ahead and done some additional digging and found the following: https://github.com/apereo/cas/blob/v5.3.7/core/cas-server-core-cookie-api/src/main/java/org/apereo/cas/web/support/DefaultCasCookieValueManager.java#L58 Seems to me that, instead of the TGT containing user agent, is that the cookie manager will not allow cookie created under differnet user agent. @Override protected String obtainValueFromCompoundCookie(final String cookieValue, final HttpServletRequest request) { val cookieParts = Splitter.on(String.valueOf(COOKIE_FIELD_SEPARATOR)).splitToList(cookieValue); if (cookieParts.isEmpty()) { throw new IllegalStateException("Invalid empty cookie"); } val value = cookieParts.get(0); if (!cookieProperties.isPinToSession()) { LOGGER.trace("Cookie session-pinning is disabled. Returning cookie value as it was provided"); return value; } if (cookieParts.size() != COOKIE_FIELDS_LENGTH) { throw new IllegalStateException("Invalid cookie. Required fields are missing"); } val remoteAddr = cookieParts.get(1); val userAgent = cookieParts.get(2); if (Stream.of(value, remoteAddr, userAgent).anyMatch(StringUtils::isBlank)) { throw new IllegalStateException("Invalid cookie. Required fields are empty"); } val clientInfo = ClientInfoHolder.getClientInfo(); if (!remoteAddr.equals(clientInfo.getClientIpAddress())) { throw new IllegalStateException("Invalid cookie. Required remote address " + remoteAddr + " does not match " + clientInfo.getClientIpAddress()); } val agent = HttpRequestUtils.getHttpServletRequestUserAgent(request); if (!userAgent.equals(agent)) { throw new IllegalStateException("Invalid cookie. Required user-agent " + userAgent + " does not match " + agent); } return value; } Have you see the above error (Invalid cookie. Required user-agent....) in your CAS error log? If so then it would justified my theory. Still, I don't think it is wise to touch on that part of the source code, but it is always good to know in case you need to actually make support on the legacy service for cross compatibility and main browser. Cheers! - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4cd1f0fa-6eb8-4bb3-ab59-c3dc57b623a7%40apereo.org<https://groups.google.com/a/apereo.org/d/msgid/cas-user/4cd1f0fa-6eb8-4bb3-ab59-c3dc57b623a7%40apereo.org?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/BY5PR12MB41628350507E03DB95B7602BF30A0%40BY5PR12MB4162.namprd12.prod.outlook.com.
