I recommend you read our protocol document: http://www.jasig.org/cas/cas1-architecture http://www.jasig.org/cas/cas2-architecture
Cheers, Scott On Wed, Oct 7, 2009 at 8:10 AM, David Jefferson <[email protected]>wrote: > Thanks for the reply. > > Could you elaborate a bit more on how the SSO session token is handled in > the client? > > I see that, after being authenticated, the CASTGC cookie that the CAS > server creates that contains the session token in the content attribute, the > host is pointing at my CAS server, and the "Send For" attribute is set to > "Encrypted connections only". > > I'm assuming though that, after a user has been authenticated, when the > user navigates between secured pages (where secured means that they need to > be logged in to access the page, but otherwise the requests are going over > http) the CAS client code is retrieving the session token from the cookie > and calling the CAS server to validate the token. Although the validation > between the client and the CAS server is over SSL, the cookie data is being > sent from the browser to the client app server over http. Is this correct? > If yes, then this is what you meant in your earlier reply that the session > token is exposed? > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
