>> The purpose is to set cookieSecure="false" since from perspective of >> CAS the CASTGC SSO session cookie is delivered over plain HTTP. > > You are referring here to the one-way HTTP-based delivery from the > content-switch to the CAS server, or the return delivery of the TGC ?
The latter. The response will contain the Set-Cookie header containing the CASTGC cookie iff the connection is HTTPS by default. The setting I mentioned relaxes that restriction to send it over HTTP as well. Again, I would recommend a careful security review prior to communicating with the CAS server in the clear. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
