> No production CAS instance should be not running over https. If only everyone were sane. We've had several folks show up, be warned of the dangers of http on even the most small and secure networks, and yet proceed to set secure=false on the TGC CookieGenerator to support sending the SSO cookie over http.
> Would predicating a message on ! HttpServletRequest.isSecure() Maybe it's time we upped the ante for folks like the above and make it harder to run over plain http by proceeding with your suggestion. > isSecure() should return the correct value even when SSL is being offloaded > to something fronting the servlet container (is this enough universally > true?) Only testing could say for certain. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
