If you mean the SSO session token that is sent by the CAS Server to the browser, then you have no worries. That session token is *only* submitted to the CAS server and also *only* over SSL (if its not SSL, then CAS won't send back the cookie). If you mean the one time token sent to your client application via the url, then if that's over HTTPS you should be fine. However, if you switch out of HTTPS after that, then your HttpSession is exposed (which we have nothing to do with).
On Tue, Oct 6, 2009 at 6:11 PM, David Jefferson <[email protected]>wrote: > A question has been asked by the engineers working on the client app that > is authenticating against CAS regarding the security of the CAS ticket in > the client session cookie. > > The connection between the client app and CAS is over ssl but the rest of > the client app does not use ssl. The concern is that the CAS ticket is > exposed on the network traffic between the browser and the client app server > and could be hijacked. > > Are there any recommendations (other than putting the client app on ssl, > which is not an option in my case) for addressing this? > > I'm using CAS server 3.3.2 and CAS client 3.1.6. > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
