Hi, For this scenario would need to encrypt the user agent and ip. I've seen solutions based on cryptography sso cookie-based authentication ip and user agent.
But anyway you can reuse the sso cookie on customer scenarios with reverse proxy. The best way is securecookie + ssl. 2011/6/13 Michael Ströder <[email protected]> > William G. Thompson, Jr. wrote: > >> However, this does bring up an interesting question as to what else >> CAS could do to ensure the TGC is only being used by the user-agent >> that it was issued for...thinking about hashing some sort of browser >> finger-printing (ala http://panopticlick.eff.org/). >> > > In my web2ldap for each hit I cross-check the session ID against a > configurable set of CGI-BIN env vars usually set by web servers. The only > really secure ones are the SSL session ID and SSL client cert infos. Of > course this does not really work in reverse proxy deployments. > > Not sure which of these are available to CAS in several deployment > scenarios. > > Ciao, Michael. > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
