Its the expected and desired behavior. You have a cookie and you're not attempting to access anything so as far as CAS is concerned your session is fine. Its only when you attempt to access something that CAS cares whether the cookie/ticket is valid or not.
On Tue, May 11, 2010 at 9:50 AM, n99 <[email protected]> wrote: > > Hello > I'm seeing what I think is odd. > > I've taken a fresh copy of 3.3.5 and uploaded the included cas-webapp.war > to > tomcat and see the following. > > I login using the default simpletestUsernamePasswordAuthenticationHandler > and get a CASTGC set. > I hit the logout url and I see that > > > 2010-05-11 14:40:11,640 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - DispatcherServlet > with > name 'cas' determining Last-Modified value for > [/cas-server-webapp-3.3.5/logout] > 2010-05-11 14:40:11,642 DEBUG > [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping] - Mapping > [/logout] to handler 'org.jasig.cas.web.logoutcontrol...@f29df8a' > 2010-05-11 14:40:11,642 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - Last-Modified value > for [/cas-server-webapp-3.3.5/logout] is: -1 > 2010-05-11 14:40:11,642 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - DispatcherServlet > with > name 'cas' processing request for [/cas-server-webapp-3.3.5/logout] > 2010-05-11 14:40:11,643 DEBUG > [org.jasig.cas.CentralAuthenticationServiceImpl] - Removing ticket > [TGT-3-s6uu19ROkI1tvG7lzAiuLYdlCBidadXfrDWEKz1Z2QH6s9VSa5-casdev1] from > registry. > 2010-05-11 14:40:11,643 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to > retrieve ticket > [TGT-3-s6uu19ROkI1tvG7lzAiuLYdlCBidadXfrDWEKz1Z2QH6s9VSa5-casdev1] > 2010-05-11 14:40:11,643 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket > [TGT-3-s6uu19ROkI1tvG7lzAiuLYdlCBidadXfrDWEKz1Z2QH6s9VSa5-casdev1] found in > registry. > 2010-05-11 14:40:11,643 DEBUG > [org.jasig.cas.CentralAuthenticationServiceImpl] - Ticket found. Expiring > and then deleting. > 2010-05-11 14:40:11,643 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket > [TGT-3-s6uu19ROkI1tvG7lzAiuLYdlCBidadXfrDWEKz1Z2QH6s9VSa5-casdev1] from > registry > 2010-05-11 14:40:11,643 DEBUG > [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Removed > cookie > with name [CASTGC] > 2010-05-11 14:40:11,643 DEBUG > [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Removed > cookie > with name [CASPRIVACY] > 2010-05-11 14:40:11,643 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - Rendering view > [org.springframework.web.servlet.view.JstlView: name 'casLogoutView'; URL > [/WEB-INF/view/jsp/default/ui/casLogoutView.jsp]] in DispatcherServlet with > name 'cas' > 2010-05-11 14:40:11,644 DEBUG > [org.springframework.web.servlet.view.JstlView] - Forwarding to resource > [/WEB-INF/view/jsp/default/ui/casLogoutView.jsp] in InternalResourceView > 'casLogoutView' > 2010-05-11 14:40:11,644 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - Successfully > completed > request > > all looks fine. I hit the login page and am shown the login page. > > I add the expired cookie above using firefox webdeveloper toolbar and hit > the login page again and I am shown the "Log In Successful" page. > > I then logout again and am shown > 2010-05-11 14:41:13,337 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - DispatcherServlet > with > name 'cas' determining Last-Modified value for > [/cas-server-webapp-3.3.5/logout] > 2010-05-11 14:41:13,337 DEBUG > [org.springframework.web.servlet.handler.SimpleUrlHandlerMapping] - Mapping > [/logout] to handler 'org.jasig.cas.web.logoutcontrol...@f29df8a' > 2010-05-11 14:41:13,338 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - Last-Modified value > for [/cas-server-webapp-3.3.5/logout] is: -1 > 2010-05-11 14:41:13,338 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - DispatcherServlet > with > name 'cas' processing request for [/cas-server-webapp-3.3.5/logout] > 2010-05-11 14:41:13,338 DEBUG > [org.jasig.cas.CentralAuthenticationServiceImpl] - Removing ticket > [TGT-3-s6uu19ROkI1tvG7lzAiuLYdlCBidadXfrDWEKz1Z2QH6s9VSa5-casdev1] from > registry. > 2010-05-11 14:41:13,338 DEBUG > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to > retrieve ticket > [TGT-3-s6uu19ROkI1tvG7lzAiuLYdlCBidadXfrDWEKz1Z2QH6s9VSa5-casdev1] > 2010-05-11 14:41:13,338 DEBUG > [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Removed > cookie > with name [CASTGC] > 2010-05-11 14:41:13,338 DEBUG > [org.jasig.cas.web.support.CookieRetrievingCookieGenerator] - Removed > cookie > with name [CASPRIVACY] > 2010-05-11 14:41:13,339 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - Rendering view > [org.springframework.web.servlet.view.JstlView: name 'casLogoutView'; URL > [/WEB-INF/view/jsp/default/ui/casLogoutView.jsp]] in DispatcherServlet with > name 'cas' > 2010-05-11 14:41:13,339 DEBUG > [org.springframework.web.servlet.view.JstlView] - Forwarding to resource > [/WEB-INF/view/jsp/default/ui/casLogoutView.jsp] in InternalResourceView > 'casLogoutView' > 2010-05-11 14:41:13,339 DEBUG > [org.springframework.web.servlet.DispatcherServlet] - Successfully > completed > request > > The ticket was not found in the registry this time but CASTGC still > deleted. > > Infact I can make up any cookie value for CASTGC and I get the "Log In > Successful" page. > Is this expected behaviour? > > I would maybe think that if you have CASTGC cookie in your request that > seems to be examined for a "Log In Successful" page to be returned, should > that CASTGC cookie not be checked against the registry? > > This also happens if I use an LDAP fast bind auth handler... > -- > View this message in context: > http://jasig.275507.n4.nabble.com/odd-behaviour-of-login-webflow-tp2173842p2173842.html > Sent from the CAS Users mailing list archive at Nabble.com. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
