I do not believe we have anything specific for it, mostly because better security packages that integrate the raw client do (i.e. Spring Security).
On Wed, Sep 12, 2012 at 9:50 AM, James Parry <[email protected]>wrote: > Hi All,**** > > ** ** > > I’m not sure if this is a CAS Client issue or Tomcat but trying to doing a > little research to try and get to the bottom of the problem so I thought I > would check here.**** > > ** ** > > We have a Spring Web app using the CAS client and SAML auth against a CAS > Server.**** > > ** ** > > I’m looking to try and protect the Spring Web App against Session Fixation. > **** > > ** ** > > There are two main methods of exploitation for this issue: **** > > 1) The application sets a session ID for a non-authenticated user. When > the user authenticates, the session ID is not changed. If the attacker can > access this session ID token then they will be able to steal the user's > session. **** > > 2) The attacker can "force" the user to use a token they have created. > This is accomplished by the attacker visiting the site and being assigned a > session ID. **** > > ** ** > > I was wondering if the CAS client already contains protection against > Session Fixation and I just need to set a certain feature.**** > > **** > > A simple point in the right direction will probably be enough.**** > > ** ** > > Many Thanks**** > > ** ** > > James**** > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
