Hi. Im looking to check my understanding and ask for some advice.
I have two spring security based web applications that both use cas to provide authentication against an open ldap identity store. If a user logs into application 1 (App1) and follows a link to application 2 (App2) the following takes place: - Spring (in App1) will call the cas login url intially, the user will provide credentials, these will be authenticated, a TGT Cookie will be set, a new ST will be validated in a call back to the cas server and a Spring Security session established in App1. - Upon linking to App2, Spring (in App2) will call the cas login url, the TGT Cookie will be presented to cas, a new ST will be returned then validated on call back and a Spring Security session established in App2. Assuming the TGT Cookie expiration policy is 30 minutes of inactivity and the http session inactivity timeout on both apps is 30 minutes, if the user spends 1 hour using App2 then clicks a link back to App1 the Spring Security session will no longer be there in App1 causing the cas login url to be called - as the TGT cookie has also expired a login page will be presented to the user. Is this correct ? Assuming it is, then in my situation this is undesirable as the user is led to believe that that have been actively using a global id and should not have timed out (especially if branding indicates both apps are part of the same whole). What possible strategies are there to keep the TGT Cookie "fresh" ? I understand that to a large extent this is not really the responsibility of cas but I would be interested in any thoughts anyone might be able to contribute. Im hoping I have explained my situation reasonably and this is not too stupid a question. Thanks in anticipation. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
