> One-time tickets protect against replay attacks.
> That's good for security and not ridiculous at all.
>
> Also the way it works makes cross-domain WebSSO possible. This is not
> possible with cookies in web browsers (also for very good reasons).
I understand how the system works, but honestly, how
much more secure is the TGC that CAS uses than a long term
application cookie? I mean, if someone gets ahold of the TGC
then they could generate their own tickets. Though I suppose
it is relatively easy to pull a url from a web log or something
of the like, while a bit harder to steal a cookie.
However, if the system were redesigned such that the client app
requested a temporary token, stored it in a session or cookie and
called the login page passing that token and when authenticated
used the temp token to pull the service ticket from the backend,
wouldn't this be just as secure but let you bypass the crazy
redirects? It just seems wildly inefficient.
--
www.suave.net - Anthony Ball - [email protected]
OSB - http://rivendell.suave.net/Beer
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
If you give money, spend yourself with it. -- Henry David Thoreau
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
