Dallas, Great observation! It will surely improve the session security and would help in the coordination of sessions among applications, but this behavior would make a very chatty conversation with CAS Server. I guess you can do it in specified interval. My thought about this is that CAS is for authentication (SSO, validation, expiration, etc.). Without CAS you would verify with your authentication provider, LDAP for example. I would not ping LDAP on subsequent requests to manage my session. That would be expensive. However, I understand where you are going with sessions management. We have similar challenge in our shop and I wish there is a best practice answer from the community.
Thanks, Rolly On Tue, Feb 9, 2010 at 11:06 AM, Dallas <[email protected]> wrote: > > I "guess" one could consider doing a recurring validation of the user's > session as session management that is beyond the scope of the CAS client > but > seems to me that is what the client is doing anyway with the Assertion > object on the initial authentication. e.g before login there is no > Assertion > on the session and after authentication the client puts the Assertion on > the > session and from there forward the client decides by checking the session > that the user doesn't need to login again, sounds like session management > to > me. Doesn't seem like a big stretch to add the capability on the client to > check the validity of the session (at least as far as it being an > authenticated session is concerned) against the CAS server and update the > Assertion object appropriately. Just an observation... but seems like this > would enhance the security provided by CAS. > > Anyway..., I understand that this is not how it is intended work. > > Thanks for the confirmation. > > > -- > View this message in context: > http://n4.nabble.com/CAS-ST-validation-after-authentication-tp1474581p1474800.html > Sent from the CAS Users mailing list archive at Nabble.com. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- Rolly Ferolino [email protected] -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
