> When this happens, we notice the login ticket (lt) hidden form field value > is different to the one shown in the error message, e.g. > ticket 'LT-3809-ruffCnzXUSVmjenefNEAzOHsNPJV6P' not recognized > Form field was > <input type="hidden" name="lt" > value="LT-3811-AiSyuqtMYYITAFiKt2SdWrPbBUaMIF" />
I'm not sure whether this failure mode is widely known, but we've taken fairly extreme measures to minimize the likelihood and have been mostly successful. There are a couple of common causes: simultaneous access of multiple CAS resources by same user agent (usually multiple tabs), routing to a new node in a HA setup that does not have session clustering. In all cases the LT that is authoritative for the login flow does not match the one sent via browser POST. Since the LT is a flow scope variable that is ultimately backed by session storage, anything that causes session state to be lost can trigger it. Additionally, since there can be exactly one session for a given user agent, it's possible to overwrite the session identifier on a current access scenario such that the client has the "wrong" session identifier (and consequently the "wrong" LT in the form field). It's hard to articulate that cause clearly, so I hope you understand. In any case the best solution is to avoid session storage of flow state altogether; we are testing that solution now using the following component: https://github.com/serac/spring-webflow-client-repo We have also implemented a fairly awkward solution with session storage where we force clients to get a session before actually landing at the CAS login page. That alleviates the first potential cause of the error I mentioned above (multiple browser tabs), but does not resolve the node failover scenario. If you want a durable solution with sesssion storage in a HA setup, you'll have to implement session replication. Hope that sheds some light. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
