Amazon stores a decent amount of info at the account layer. Different
application sessions across different devices share cart. But the
solution for this is to do it at the application layer. Extend the
session out there. Then at the security layer, it should have the
functionality to know when the last authentication was. If they are
doing something that requires higher security, that last login time is
queried and a forced authentication is done if it isn't high enough. You
could do a normal SSO auth if your IdP session is less than your
critical time period. You can force an auth through CAS, even with an
active session, but using the renew option.
On 7/28/22 09:07, Pablo Vidaurri wrote:
Sorry, waldbiec is correct ... ST is using the default value of 10 sec
... I meant the application session is 2hrs.
Basically we are looking at how to mimic sites like amazon ... once
you login you can browse for days, add stuff to your cart, maybe even
check out. But once you go to modify your account details
(shipping/billing, etc) you get prompted to login again.
-psv
On Wednesday, July 27, 2022 at 6:34:15 PM UTC-5 richard.frovarp wrote:
I would change the application and not do it via CAS. Changing the
application session timeout to what they want. Because otherwise
it will do a SSO session again, which will interrupt anything the
end user is trying to do with the browser open for the past two
days. So anything done via CAS won't give a good user experience.
------------------------------------------------------------------------
*From:* [email protected] <[email protected]> on behalf of Ray
Bon <[email protected]>
*Sent:* Wednesday, July 27, 2022 4:34:56 PM
*To:* [email protected] <[email protected]>
*Subject:* Re: [cas-user] ideas for persistence login session
Pablo,
The long running pages could be added as a service with longer TGT
life,
https://apereo.github.io/cas/6.5.x/ticketing/Configuring-Ticket-Expiration-Policy.html#per-service
Ray
On Wed, 2022-07-27 at 12:16 -0700, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of
Victoria email system. Please be cautious with links and
sensitive information.
Currently CAS TGT is an 8hr session, ST is a 2hr session. Client
is requesting to enable certain parts of their site (protected)
to include a longer ST (for weeks) while maintaining a 2hr
session for other secured parts like "Account/Profile".
I understand the application needs to change, but is there
anything on the CAS side that I can do to help in this effort?
Would JWT help? When a user successfully logs in, issue a JWT
good for 4 weeks with user's credentials. Now lets assume the
TGT/ST are no longer valid and the user is trying to access part
of the site where not logging is not required for days (protected
area). The JWT would then be used to auto login the user.
Achievable or pure abuse?
Also considered increasing the TGT TTL for weeks and creating
separate services to define an
AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy
of 2hrs/8hrs, etc but this this means certain parts of the site
need to be under specific URL patterns.
Any suggestions?
-psv
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 <tel:(250)%20721-8831> | CLE 019 | [email protected]
I acknowledge and respect the lək̓ʷəŋən peoples on whose
traditional territory the university stands, and the Songhees,
Esquimalt and WSÁNEĆ peoples whose historical relationships with
the land continue to this day.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5c8a9514a354884dd7a78daba1dba5272b9620f.camel%40uvic.ca
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5c8a9514a354884dd7a78daba1dba5272b9620f.camel%40uvic.ca?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b8b0a792-35a3-4188-ae66-ef699650732an%40apereo.org
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/b8b0a792-35a3-4188-ae66-ef699650732an%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/0d740b52-729f-81e2-4b5a-46ab2788198e%40ndsu.edu.
