I have seen exactly this scenario in the logs for our production system. Probably the cause is a bug in the cas client, but it would be nice for the CAS Server to detect and handle both these accidental situations and malicious denial-of-service attempts.
Danny B. wrote: > > Hi, > > I want to prevent the following situation. > > Problem: > STEP 1 > User A: logins in to service http://example.service.com > http://example.service.com redirects to cas. > > STEP 2: > User A: logins in and is redirected to > CAS.http://example.service.com?ticket=newTicket1 > CAS set cookie > STEP 3: > User A throws ticket away. and returns to service, automated! > Service redirects to cas. > Cas redirects to service + ticket > > Infinite loop! > User A throws ticket away. and returns to service, automated! > Service redirects to cas. > Cas redirects to service + ticket > > > Solution: > New table with following values: > Ticket Granting Ticket id, RegisteredService, TimeStamp, > #timesUsedSinceTimeStamp, > > TimeStamp: This is set every x amount of seconds/minutes > > pseudo code > <code> > if( Timestamp > (currentTime - measurementTime){ > RegisteredService.timesUsedSinceTimeStamp =+ 1; > } > else{ > TimeStamp = currentTime ; > } > if ( RegisteredService.timesUsedSinceTimeStamp > X*){ > redirect to ErrorPage > REPORT TO ADMIN > } > > X(being the maximum of used within a certain time frame) > </code> > > I am planning to implement this solution this week. > The source code will be posted. > > I would just like to hear your advice, on how to implement this solution. > So you don't have to change much, if you want to import it in cas. <== > goal > > Kind regards, > > Danny > -- View this message in context: http://www.nabble.com/possible-solution-preventing-abuse-cas-infinite-loop-redirect-service-tp23389145p23530661.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
