If you wanted to communicate with the CAS server to "confirm" a session, you'd have to have the ST live for more than one use, which would then mean you'd need to expand its length such that it could not be easily "guessed".
You can't use the TGT or the username to confirm a session. A user may have multiple sessions. Sharing a TGT between apps is a security problem. I'm not sure why you need to confirm the session. CAS will signal a logged out session via callback when the user ends his or her session. The end of a CAS session via normal expiration should not indicate whether the local application should end (maybe CAS has short timeouts but I'm in your application for a while). Cheers, Scott On Tue, Feb 9, 2010 at 1:39 PM, Rolly Ferolino <[email protected]> wrote: > Dallas, > > Great observation! It will surely improve the session security and would > help in the coordination of sessions among applications, but this behavior > would make a very chatty conversation with CAS Server. I guess you can do > it in specified interval. My thought about this is that CAS is for > authentication (SSO, validation, expiration, etc.). Without CAS you would > verify with your authentication provider, LDAP for example. I would not ping > LDAP on subsequent requests to manage my session. That would be expensive. > However, I understand where you are going with sessions management. We have > similar challenge in our shop and I wish there is a best practice answer > from the community. > > Thanks, > Rolly > > On Tue, Feb 9, 2010 at 11:06 AM, Dallas <[email protected]> wrote: > >> >> I "guess" one could consider doing a recurring validation of the user's >> session as session management that is beyond the scope of the CAS client >> but >> seems to me that is what the client is doing anyway with the Assertion >> object on the initial authentication. e.g before login there is no >> Assertion >> on the session and after authentication the client puts the Assertion on >> the >> session and from there forward the client decides by checking the session >> that the user doesn't need to login again, sounds like session management >> to >> me. Doesn't seem like a big stretch to add the capability on the client to >> check the validity of the session (at least as far as it being an >> authenticated session is concerned) against the CAS server and update the >> Assertion object appropriately. Just an observation... but seems like this >> would enhance the security provided by CAS. >> >> Anyway..., I understand that this is not how it is intended work. >> >> Thanks for the confirmation. >> >> >> -- >> View this message in context: >> http://n4.nabble.com/CAS-ST-validation-after-authentication-tp1474581p1474800.html >> Sent from the CAS Users mailing list archive at Nabble.com. >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > > > -- > Rolly Ferolino > [email protected] > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
