A question has been asked by the engineers working on the client app that is authenticating against CAS regarding the security of the CAS ticket in the client session cookie.
The connection between the client app and CAS is over ssl but the rest of the client app does not use ssl. The concern is that the CAS ticket is exposed on the network traffic between the browser and the client app server and could be hijacked. Are there any recommendations (other than putting the client app on ssl, which is not an option in my case) for addressing this? I'm using CAS server 3.3.2 and CAS client 3.1.6. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
