> Is it possible to send POST to http://host/cas/login without the value
> for the hidden field called "lt" (login ticket). Can CAS be configured
> to ignore the "lt" when authenticating user?
No. LT is a required part of the CAS protocol:
When /login behaves as a credential requestor, the response will
vary depending on the type of credentials it is requesting. In most
cases, CAS will respond by displaying a login screen requesting a
username and password. This page MUST include a form with the
parameters, "username", "password", and "lt".
(Section 2.1.3, http://www.jasig.org/cas/protocol)
While removing this parameter may not be technologically possible
since it contains the Spring WebFlow session ID, even if it were
possible it would allow replay attacks. Attempt to remove this
parameter at your own peril.
M
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
