Hi, We notived if login page has been idle for a while, and then user tries to log in - it fails, and he needs to re-try (this 2nd attempt succeeds). I realize the cause is Http session timeout, since the LoginTicket is stored in session : http://stackoverflow.com/questions/14135742/cas-credentials-dont-get-validated-if-the-login-page-is-idle
But what is the recommended solution? So far I considered: 1) Increasing HTTP session timeout (in web.xml). But i'm afraid of the memory consumption, since we expect tens (or even hundreds) of thousands of users. 2) Automatically refreshing the page every half hour of so, using javascript. But then I keep the Http Session alive for ever, e.g. if user left the screen and went for a long vacation. 3) I even considred overriding AuthenticationViaFormAction so that it would ignore the LoginTicket. But I don't fully understand the security risk of giving up LoginTicket. The documentation mentions browser bugs related to "back" button, but I didn't understand what they are (we use Chrome BTW). 4) Any other alternative will be welcome Thanks very much -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
