>> Perhaps unnecessary redirects, redirects that >> happen when a user is logged in already, could be avoided by storing data >> via the session with the webapp?
I think we need to clarify what session you mean. The SSO session or the session of the CAS-enabled Web application? Assuming you mean the webapp session, then most CAS clients do store authenticated state to prevent unnecessary redirects to CAS every time. Note that this client feature is entirely optional; CAS has full support for stateless authentication scenarios. > I think a better question would have been: Where in the CAS architecture > does session validation take place? Again, assuming you mean validating the authenticated state of a CAS-enabled webapp, then it's not formally part of either the protocol or the CAS architecture per se. Most CAS clients store the authenticated state to prevent redirects other than on session creation. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
