How can I enforce the renew option? It looks like a query parameter which the user can remove and bypass forced authenciation.
On Thursday, July 28, 2022 at 9:36:12 AM UTC-5 richard.frovarp wrote: > Amazon stores a decent amount of info at the account layer. Different > application sessions across different devices share cart. But the solution > for this is to do it at the application layer. Extend the session out > there. Then at the security layer, it should have the functionality to know > when the last authentication was. If they are doing something that requires > higher security, that last login time is queried and a forced > authentication is done if it isn't high enough. You could do a normal SSO > auth if your IdP session is less than your critical time period. You can > force an auth through CAS, even with an active session, but using the renew > option. > > On 7/28/22 09:07, Pablo Vidaurri wrote: > > Sorry, waldbiec is correct ... ST is using the default value of 10 sec > ... I meant the application session is 2hrs. > > Basically we are looking at how to mimic sites like amazon ... once you > login you can browse for days, add stuff to your cart, maybe even check > out. But once you go to modify your account details (shipping/billing, etc) > you get prompted to login again. > > -psv > > On Wednesday, July 27, 2022 at 6:34:15 PM UTC-5 richard.frovarp wrote: > >> I would change the application and not do it via CAS. Changing the >> application session timeout to what they want. Because otherwise it will do >> a SSO session again, which will interrupt anything the end user is trying >> to do with the browser open for the past two days. So anything done via CAS >> won't give a good user experience. >> ------------------------------ >> *From:* [email protected] <[email protected]> on behalf of Ray Bon < >> [email protected]> >> *Sent:* Wednesday, July 27, 2022 4:34:56 PM >> *To:* [email protected] <[email protected]> >> *Subject:* Re: [cas-user] ideas for persistence login session >> >> Pablo, >> >> The long running pages could be added as a service with longer TGT life, >> https://apereo.github.io/cas/6.5.x/ticketing/Configuring-Ticket-Expiration-Policy.html#per-service >> >> Ray >> >> On Wed, 2022-07-27 at 12:16 -0700, Pablo Vidaurri wrote: >> >> Notice: This message was sent from outside the University of Victoria >> email system. Please be cautious with links and sensitive information. >> >> Currently CAS TGT is an 8hr session, ST is a 2hr session. Client is >> requesting to enable certain parts of their site (protected) to include a >> longer ST (for weeks) while maintaining a 2hr session for other secured >> parts like "Account/Profile". >> >> I understand the application needs to change, but is there anything on >> the CAS side that I can do to help in this effort? >> >> Would JWT help? When a user successfully logs in, issue a JWT good for 4 >> weeks with user's credentials. Now lets assume the TGT/ST are no longer >> valid and the user is trying to access part of the site where not logging >> is not required for days (protected area). The JWT would then be used to >> auto login the user. Achievable or pure abuse? >> >> Also considered increasing the TGT TTL for weeks and creating separate >> services to define an >> AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy of >> 2hrs/8hrs, etc but this this means certain parts of the site need to be >> under specific URL patterns. >> >> Any suggestions? >> >> -psv >> >> -- >> >> Ray Bon >> Programmer Analyst >> Development Services, University Systems >> 2507218831 <(250)%20721-8831> | CLE 019 | [email protected] >> >> I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional >> territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ >> peoples whose historical relationships with the land continue to this day. >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5c8a9514a354884dd7a78daba1dba5272b9620f.camel%40uvic.ca >> >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/a5c8a9514a354884dd7a78daba1dba5272b9620f.camel%40uvic.ca?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/b8b0a792-35a3-4188-ae66-ef699650732an%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b8b0a792-35a3-4188-ae66-ef699650732an%40apereo.org?utm_medium=email&utm_source=footer> > . > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9c4986b0-c7b6-470b-82d9-7a47c8211998n%40apereo.org.
