I see, that's good to know. Thanks for the quick response!
Cheers, Tim On 30/09/10 10:44, Scott Battaglia wrote:
Since CAS 3, lt tickets haven't been needed. We're using Spring Web Flow which manages ensuring the flow isn't restarted. We extended Spring Web Flow so that its internal id matched the name "lt" purely for backwards compatibility. Since CAS no longer generates the "lt", the size is controlled by Web Flow. I can look into the Web Flow APIs to see if we can control the size but for all intents and purposes, newer versions of CAS don't require the lt in the same way that CAS2 did. Cheers, Scott On Wed, Sep 29, 2010 at 8:02 PM, Tim Peters <[email protected] <mailto:[email protected]>> wrote: Hi cas-users, I'm currently upgrading a CAS instance from version 3.3.5 to 3.4.2.1, and have noticed a change to the format of the login tickets (ie, the hidden field "lt" in the login form which is used to prevent replaying credentials). Previously they were nice and long (76 characters) and looked pretty random. But since upgrading I'm getting very short login tickets generated, and they always follow the same pattern: "e1s1", "e2s1", "e3s1" etc. The CAS protocol states they should be "probabilistically unique" which these are not. I'm not familiar with the spring framework used by CAS, so I'm not sure sure where to start looking. I have verified this happens with an uncustomised maven build of 3.4.2.1. Is this intentional, or a bug? Cheers, Tim
-- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
