Hi All, I'm not sure if this is a CAS Client issue or Tomcat but trying to doing a little research to try and get to the bottom of the problem so I thought I would check here.
We have a Spring Web app using the CAS client and SAML auth against a CAS Server. I'm looking to try and protect the Spring Web App against Session Fixation. There are two main methods of exploitation for this issue: 1) The application sets a session ID for a non-authenticated user. When the user authenticates, the session ID is not changed. If the attacker can access this session ID token then they will be able to steal the user's session. 2) The attacker can "force" the user to use a token they have created. This is accomplished by the attacker visiting the site and being assigned a session ID. I was wondering if the CAS client already contains protection against Session Fixation and I just need to set a certain feature. A simple point in the right direction will probably be enough. Many Thanks James -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
