William G. Thompson, Jr. wrote:
However, this does bring up an interesting question as to what else CAS could do to ensure the TGC is only being used by the user-agent that it was issued for...thinking about hashing some sort of browser finger-printing (ala http://panopticlick.eff.org/).
In my web2ldap for each hit I cross-check the session ID against a configurable set of CGI-BIN env vars usually set by web servers. The only really secure ones are the SSL session ID and SSL client cert infos. Of course this does not really work in reverse proxy deployments.
Not sure which of these are available to CAS in several deployment scenarios. Ciao, Michael. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
