Hi Madhavi, On Jun 3, 2011, at 11:33 AM, Madhavi Polisetty wrote:
> Hi Rhett, > Thank you for the response. > One last question. When you said the TGT is stored in a seperate cookie, what > does that mean? A cookie is a bit of data that's stored in the client's browser, scoped to a particular URL, and sent along with any request to that URL. See wikipedia[1] for more detail. The CAS protocol specifies[2] that the TGT be stored in a cookie that is only returned to the CAS server. > > If I am using DefaultTicketRegistry, I was under the impression that it is > stored in the CAS Session context. If I used a custom registry like > JPATicketRegistry etc, then it will be persisted to the DB or something. DefaultTicketRegistry stores the tickets on the server side in the server's memory. The registry is independent of any particular user. That's different from an JEE HTTP Session, which is also stored in the server's memory but is tied to a particular user using a cookie or (rarely) a URL parameter. The CAS Session is something else -- it's a shorthand way of referring to the span of time for which the TGT from a particular login is valid. It doesn't have a physical manifestation other than the TGT and the expiration policy. Rhett [1]: http://en.wikipedia.org/wiki/HTTP_cookie [2]: http://www.jasig.org/cas/protocol; section 2.1 & 3.6 > > If my understanding of DefaultTicketRegistry is correct, then if CAS session > has expired.. so should the session attribute (ticketregistry) .. isn't it? > > I still have a little confusion with this one. Can you please clarify. > > Thank you > Madhavi > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
