Hi Madhavi, On Jun 3, 2011, at 2:37 AM, Madhavi Polisetty wrote:
> Hi, > > I am wondering what is the significance of the session timeout setting in CAS > web application. AFAIK, the session in the webapp is only used for the webflow state. Its use is an implementation detail, unrelated to the CAS protocol. > > I created CAS war file by making change to the web.xml to contain the > following > > <session-config> > <session-timeout>2</session-timeout> > </session-config> > > > I fired request to https://myhost/cas/login and printed the JSESSION ID and > the TGT cookie on the screen. > > I waited for the session timeout (2 mins) and then tried the login url again > in the same open browser. > > This time the JSESSION ID printed is a new one, but the TGT is same. > > I even tried accessing one of the Client apps from same browser to make sure > TGT is capable of generating an ST and it worked fine. > > In this case I am using DefaultTicketRegistry so the tickets are not > persisted to any permanent storage device. > > My question is, how did CAS retrieve the TGT after the CAS web application > session has timed out? What effect does the timeout setting have in CAS > authentication process? The TGT is stored in a separate cookie, per the protocol. You can control the expiration of the TGT by changing the ticket expiration policy. Rhett > > Thanks > Madhavi > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
