The lifetime of a service ticket is usually set pretty short-- 15 or 20 seconds max. Alice needs to leak her ST within that timeframe for it to be valid, or else Bob should get an invalid ticket error at the client.
You may want to examine the ST lifetime and shorten it. Thanks, Carl Waldbieser On Fri, Mar 4, 2022, 6:36 AM Rob Pumphrey <[email protected]> wrote: > Hi, > We have had a user complain about the behaviour of an application > protected by CAS single sign on. > > The user Alice has logged into the application via the CAS login page, > then pressed back on their browser and bookmarked the URL with > https://example.com/?ticket=ST-344-adfafff...... > Alice has then shared that URL with another person, Bob. > Bob navigates to the link supplied by Alice and is now logged into the > application as Alice. This is a surprise to Alice and Bob. > > Is there any way to help prevent users bookmarking URLs containing the > ticket? > Is there any way to prevent Bob logging in as Alice with the URL with > Alice's ticket? > > We currently are thinking that we have to educate users not to bookmark > the URLs that have the ticket parameter, but that seems a bit weak. > > Any suggestions or insight would be welcome. > Thanks in advance. > Rob > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1a5bf3d-e7cc-4065-8f14-ece00e261af3n%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1a5bf3d-e7cc-4065-8f14-ece00e261af3n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbO1TyaoUhw%2BcNx3%3DvJ6V_YE2TkB%3DHecW%2B%2BvbCW%2BwuG-Dw%40mail.gmail.com.
