Adding just a bit more...
Can TGT expiration be push backed due to client activity?
Yes, you can set the separate "idle" and "hard" timeout for TGT's:
https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp/WEB-INF/spring-configuration/ticketExpirationPolicies.xml
<!-- TicketGrantingTicketExpirationPolicy: Default as of 3.5 -->
<!-- Provides both idle and hard timeouts, for instance 2 hour sliding
window with an 8 hour max lifetime -->
<bean id="grantingTicketExpirationPolicy"
class="org.jasig.cas.ticket.support.TicketGrantingTicketExpirationPolicy"
p:maxTimeToLiveInSeconds="${tgt.maxTimeToLiveInSeconds:28800}"
p:timeToKillInSeconds="${tgt.timeToKillInSeconds:7200}"/>
Once a client trades in an ST for a session, that session timeout is controlled
by whoever is controlling the session. For example, mod_auth_cas has the
following:
https://github.com/Jasig/mod_auth_cas/blob/master/README
Directive: CASTimeout
Default: 7200 (2 hours)
Description: This is the hard limit, in seconds, for a mod_auth_cas session
(whether
it is idle or not). When a session has reached this age and a
new
request is made, the user is redirected to the CASLoginURL to
obtain a new service ticket. When this new ticket is validated,
they will be assigned a new mod_auth_cas session. Set this
value to '0'
in order to allow a non-idle session to not expire.
Directive: CASIdleTimeout
Default: 3600 (1 hour)
Description: This is a limit, in seconds, of how long a mod_auth_cas session
can be idle.
When a request comes in, if it has been inactive for
CASIdleTimeout
seconds, the user is redirected to the CASLoginURL to obtain a
new
service ticket.
RememberMe page which is mentioned below by Mateusz:
https://wiki.jasig.org/display/CASUM/Remember+Me
David Ohsie
EMC Corporation
-----Original Message-----
From: Szczap, Mateusz [mailto:[email protected]]
Sent: Thursday, November 15, 2012 3:25 AM
To: [email protected]
Subject: AW: [cas-user] What is the best way to handle CAS session timeout?
1. Yes, each client has it's own TGT stored as TGC (Ticket Granting Cookie) in
a secure domain (https) 2. If I am not mistaken if you are not asking for new
ST (Service Ticket), TGT will expire after a configurable TGT timeout, which by
default is 8 hours but it is configurable.
3. It is a browser cookie and for security reasons it is removed after a
browser restarts (it is a non persistent cookie). Take a look at "remember me"
functionality, I think CAS supports this.
PS.
I am still a new user to CAS but probably it is better to answer you than you
are left without any answer to your problem.
________________________________________
Von: Jonathan [[email protected]]
Gesendet: Donnerstag, 15. November 2012 02:51
An: [email protected]
Betreff: [cas-user] What is the best way to handle CAS session timeout?
The setup is 1 CAS server and 2 CAS client.
The user has been active on client 1, but has not been active on client 2.
Does each client have its own TGT?
Can TGT expiration be push backed due to client activity?
As for TGT, does this have to be a browser session cookie, or can TGT be
configured so that it can last even after the browser restarts?
Thanks
Jonathan
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
