> When I opened the new tab manually, IE8 shared the cookies (CASTGT) with both > tabs, but it didn't share the SSL state.
Makes sense. The new tab is opening a new connection to the CAS, which naturally involves an SSL handshake where certificates would be exchanged. > Is this the correct behavior for CAS? Strictly speaking, yes. I can't imagine any server-side solution to the behavior you reported; client-side browser configuration would be your only option. That said, it's hard to imagine a practical use case for having two different authenticated sessions in one browser. Do you have a use case for a user having two separate security principals that would be in use simultaneously? M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
