I'm no expert, but IMHO it seems like a cool "catch" :) Not critical for my project, but nice keep in mind. Shouldn't it be easy to implement your own org.jasin.cas.util.UniqueTicketIdGenerator?
Just a minor unrelated note - I hope your CAS connections are HTTPS...? because when I hear "traffic analysis" I imaging those tools that monitor masses of traffic; that should fail because TicketGrantingCookie should travel on https. That doesn't hurt the validity of your argument - a cracker can simply performs several logins and watch the TGT's. I just brought it up because of the phrase "traffic analysis" got me worried about encryption. On Thu, Nov 14, 2013 at 1:14 PM, Guido Wimmel <[email protected]> wrote: > Hi, > > is there a specific reason why CAS by default includes sequence numbers in > the generated > ticket granting ticket ids? (e.g. TGT-1-xxxxx, TGT-2-xxxxx, ...) > > With the help of the sequence numbers, one could perform traffic analyses > (e.g. determining > how many logins there are in a given timespan), which might be undesired. > > The default service tickets look similar, but in this case one can switch > to SAML authentication, > where the ids are generated differently. > > Could there be any potential problems in switching to SAML compliant ids > for TGTs as well? > (I understand this might be possible by changing the configuration in > uniqueIdGenerators.xml) > > Best regards, > Guido > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
