> I understand how the system works, but honestly, how > much more secure is the TGC that CAS uses than a long term > application cookie?
I sincerely don't think you do based on your comments. CAS has been widely praised for its security, flexibility, and extensibility. The redirects you call "crazy" and "wildly inefficient" are essential to those praiseworthy aspects of CAS. If you search the list archives, you will find a great number of cases where folks are able to make CAS work for [insert obscure product here] by manipulation of the simple HTTP requests and responses used by the CAS protocol. > However, if the system were redesigned such that the client app > requested a temporary token, stored it in a session or cookie and > called the login page passing that token and when authenticated > used the temp token to pull the service ticket from the backend Your proposal sounds strikingly similar to the CAS protocol, http://www.jasig.org/cas/protocol. Have you studied it carefully enough to identify inefficiencies that can be corrected without loss of functionality? If you believe that is the case, please write up a detailed functional spec for the changes and send it to the cas-dev list where we may discuss it further. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
