Hello, Recently we identify a case where a user can access any service with another user's login. See below steps to simulate the case: 1.Open a new browser window and navigate to "https://abc.xyz.com/cas/login"; but do not log in 2.Open a new tab and again navigate to "https://abc.xyz.com/cas/login"; and now login as user X.(New TGT is created for user X) 3.Access any service as user X and then close the tab 4.Now go back to the first tab (opened in step1) and login as user Y (New TGT is created for user Y and TGT for user X get replaced in CASTGC cookie) 5.You get a message saying you have authenticated (assuming correct credentials for user Y were provided) 6.Open a new tab and again access the same service as accessed in step3 7.You enter into the service as user X and not user Y
This happens because before generating new TGT, the old TGT is not expired and sign-out signal is not sent to the services. In such cases, the first TGT should be expired and log-out signal should be sent to services before generating the new TGT. Currently we are using CAS server 3.2.1. Kindly suggest how this issue can be fixed. Thanks, Vivek -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
