On Fri, Jun 10, 2011 at 5:07 PM, Fernando Correa <[email protected]> wrote: > I downloaded Cookies+ Manager Firefox extension. > I logged in in computer1 to webapp1. I wrote the details of the TGC. > I entered computer2, and with these extension, I replicated the TGC. After > that, I tried to access webapp1 in computer2, and I got authenticated. > Is there a way to prevent this?
Yes, don't copy your TGC to another user-agent! :) The best thing you can do is to make sure SSL is being used to protect the cookie in transit. It is generally assumed that the user-agent has not been comprised, and that there is no path for an attacker to retrieve the TGC. However, this does bring up an interesting question as to what else CAS could do to ensure the TGC is only being used by the user-agent that it was issued for...thinking about hashing some sort of browser finger-printing (ala http://panopticlick.eff.org/). Cheers, Bill -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
