Sometime around Firefox 15 or 16, the behavior changed. If you close
Firefox by clicking the [X] button on the window, when you re-open Firefox
all of your session cookies are still present. If you close Firefox by
choosing File > Quit, when you re-open Firefox the cookies are gone.
However, if you choose History > Restore Previous Session, then all the
cookies and pages are restored.
If you know of a server-side way to prevent this, I'd love to hear it!
Andy
On Thu, 28 Feb 2013, Ohsie, David wrote:
Andrew, my experience using firefox and chrome (and I think IE as well) to
access CAS protected applications differs. If the cookies are set right by
the server, it is sufficient to kill the browser to force a new login.
I'm not claiming that public internet terminals are safe or that there are
no ways to exploit this, but I would say that if your application remains
accessible after your browser is restarted, then you should be looking at
your application setup and then your CAS setup to ensure that the cookies
are set to expire upon the end of the session (and that the caching control
is also set properly for sensitive pages). None of this is foolproof, but
basic safeguards should be maintained.
David Ohsie
Software Architect
EMC Corporation
From: Andrew Petro [mailto:[email protected]]
Sent: Thursday, February 28, 2013 2:43 PM
To: [email protected]
Subject: Re: [cas-user] Public computer login and CAS
I believe this is a well-known issue.
Modern browsers take liberties with their interpretation of the duration of
session-scoped cookies, such that merely closing the web browser is no
longer sufficient.
Users need to either explicitly log out of CAS to end their single sign-on
session and out of your application to end their session with your
application, or explicitly log out of their operating system desktop session
to prevent others from accessing it. The latter is far preferable.
You can try to make explicit logout from CAS have a side effect of single
logout callbacks to your application to also log the user out of the
application, but this doesn't address the root issue of there being a window
of time within which the end user has valid session cookies that the browser
did not clean up on browser close such that re-opening the browser can
resurrect them.
Known shared browser installs can and should be configured to implement a
tighter understanding of what a session cookie's duration ought to be. To
the extent that you're curating browser installs for, say, known-shared
computers in computer labs on a campus, those browser installs should be so
configured. Internet cafe purveyors ought to do this. Most probably don't.
Then again, I just assume that all Internet cafe computers are equipped with
at least one malware keystroke logger. [1]
Otherwise, end users really really should be afforded the opportunity to
fully log out of their operating system sessions, and should do so when
leaving a shared computer.
[1]: A quick Google search suggests I'm not far off -- four out of ten
internet cafes providing keystroke loggers with their lattes in this one
study. http://www.jiti.net/v11/jiti.v11n3.169-182.pdf
On Thu, Feb 28, 2013 at 2:08 PM, Ohsie, David <[email protected]> wrote:
Do you have "Remember Me" turned on?
If not, it is possible that either the session cookies from your site are
persistent (with an an explicit Expires/MaxAge) or else the cache control
headers are allowing some pages to remain withing the browser cache.
From: Danny Sinang [mailto:[email protected]]
Sent: Thursday, February 28, 2013 12:55 PM
To: [email protected]
Subject: [cas-user] Public computer login and CAS
Hi,
I noticed that closing and reopening my browser allows me to access
protected webpages on my CASified site.
This could be a problem if I logged in from a public computer (internet
cafe, etc).
Is there a way to secure against this ?
Regards,
Danny
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
