I’m not sure what you mean, but a typical login scenario looks like this:
1. Visit homepage (Moodle site) and follow the login link which redirects to the CAS login page. 2. Type username and password (15 secs) and click Login button, which redirects back to the CAS login page. 3. Type username and password (15 secs) and click Login button, which redirects back to the Moodle profile page. It goes without saying that I’m attempting to remove the second step :) Digging a little deeper I see the following HTTP traffic (with only relevant headers, all cookies etc.): i) GET /login/index.php HTTP/1.1 Host: www.tmggloballearning.com.au Cookie: MoodleSession=ckvhoqkk0ho3r559am69h1s9j6 > HTTP/1.1 302 Moved Temporarily > Location: > https://login.tmggloballearning.com.au/login?service=http%3A%2F%2Fwww.tmggloballearning.com.au%2Flogin%2Findex.php&gateway=true ii) GET /login?service=http%3A%2F%2Fwww.tmggloballearning.com.au%2Flogin%2Findex.php&gateway=true HTTP/1.1 Host: login.tmggloballearning.com.au Cookie: visited=yes; JSESSIONID=1hw2aav53nxmw141tysfwsch9y > HTTP/1.1 302 Found > Set-Cookie: visited=yes > Location: http://www.tmggloballearning.com.au/login/index.php iii) GET /login/index.php HTTP/1.1 Host: www.tmggloballearning.com.au Cookie: MoodleSession=ckvhoqkk0ho3r559am69h1s9j6 > HTTP/1.1 302 Moved Temporarily > Location: > https://login.tmggloballearning.com.au/login?service=http%3A%2F%2Fwww.tmggloballearning.com.au%2Flogin%2Findex.php iv) GET /login?service=http%3A%2F%2Fwww.tmggloballearning.com.au%2Flogin%2Findex.php HTTP/1.1 Host: login.tmggloballearning.com.au Cookie: JSESSIONID=1hw2aav53nxmw141tysfwsch9y; visited=yes > HTTP/1.1 200 OK > Set-Cookie: visited=yes v) POST /login?service=http%3A%2F%2Fwww.tmggloballearning.com.au%2Flogin%2Findex.php HTTP/1.1 Host: login.tmggloballearning.com.au Cookie: JSESSIONID=1hw2aav53nxmw141tysfwsch9y; visited=yes username=...&password=...&submit=LOGIN<=LT-44-nmNOEonHnVgXLY9qum2qepVYXK2pPA&execution=e2s1&_eventId=submit > HTTP/1.1 302 Found > Set-Cookie: visited=yes > Set-Cookie: JSESSIONID=1lwdoco5zbro47ic7mt69yfvh;Path=/;Secure > Location: > https://login.tmggloballearning.com.au/login?service=http%3A%2F%2Fwww.tmggloballearning.com.au%2Flogin%2Findex.php vi) GET /login?service=http%3A%2F%2Fwww.tmggloballearning.com.au%2Flogin%2Findex.php HTTP/1.1 Host: login.tmggloballearning.com.au Cookie: visited=yes; JSESSIONID=1lwdoco5zbro47ic7mt69yfvh > HTTP/1.1 200 OK > Set-Cookie: visited=yes vii) POST /login?service=http%3A%2F%2Fwww.tmggloballearning.com.au%2Flogin%2Findex.php HTTP/1.1 Host: login.tmggloballearning.com.au Cookie: JSESSIONID=1lwdoco5zbro47ic7mt69yfvh; visited=yes username=...&password=...&submit=LOGIN<=LT-46-L0pDwdjmkbIx4bJXrroOBLdUb1z66V&execution=e1s1&_eventId=submit > HTTP/1.1 302 Found > Set-Cookie: visited=yes > Set-Cookie: CASPRIVACY="";Version=1;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 > GMT;Max-Age=0 > Set-Cookie: > CASTGC=TGT-11-j0G4MehvCRKYlk7YybXRUdz7uhTzQqyleqYbTaEbzexCrETm7B-tmggloballearning;Path=/;Secure > Location: > http://www.tmggloballearning.com.au/login/index.php?ticket=ST-11-etg7AuFkH7I7KW5wnxIq-tmggloballearning ix) GET /login/index.php?ticket=ST-11-etg7AuFkH7I7KW5wnxIq-tmggloballearning HTTP/1.1 Host: www.tmggloballearning.com.au Cookie: MoodleSession=ckvhoqkk0ho3r559am69h1s9j6 > HTTP/1.1 302 Moved Temporarily > Location: http://www.tmggloballearning.com.au/login/index.php x) GET /login/index.php HTTP/1.1 Host: www.tmggloballearning.com.au Cookie: MoodleSession=ckvhoqkk0ho3r559am69h1s9j6 > HTTP/1.1 303 See Other > Set-Cookie: MoodleSession=k389o489hhf5cps0e7616u94q0; path=/ > Set-Cookie: MOODLEID1_=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/ > Location: http://www.tmggloballearning.com.au/login/index.php?testsession=226 xi) GET /login/index.php?testsession=226 HTTP/1.1 Host: www.tmggloballearning.com.au Cookie: MoodleSession=k389o489hhf5cps0e7616u94q0 > HTTP/1.1 303 See Other > Location: http://www.tmggloballearning.com.au/my/ xii) GET /my/ HTTP/1.1 Host: www.tmggloballearning.com.au Cookie: MoodleSession=k389o489hhf5cps0e7616u94q0 > HTTP/1.1 200 OK As you can see Moodle does a lot of redirection! But my concern is the response to the first POST (v); unlike the second POST (viii) it doesn't set the CASTGC cookie nor redirect back to Moodle but to itself. Note that in the original request to CAS (ii) the JSESSIONID is sent in the request as 1hw2aav53nxmw141tysfwsch9y and is then changed to 1lwdoco5zbro47ic7mt69yfvh in the response to the first POST (v). If I clear the cache then the JSESSIONID is first set in the second response from the CAS server (iv) and everything is fine. If I logout and then attempt to login again then I run into the problem. However, if I logout (for a second time) and then back in again I don't encounter the problem; in this case the JSESSIONID is changed in the second response from the CAS server (iv). For some reason the JSESSIONID is not *always* set at (iv); what could be causing this and how do I solve it? I am using CAS version 3.5.2, Jetty 9.1.0 and Java 1.7.0_45 on Ubuntu 10.04.4 (lucid) and MySQL 5.5.34. Cheers, Corin. From: Misagh Moayyed [mailto:[email protected]] Sent: Wednesday, 25 December 2013 1:53 AM To: [email protected] Cc: [email protected] Subject: Re: [cas-user] Strange bug with JSESSIONID ...and before you submit, do you happen to stay on the login page for a certain period of time after which you are asked to enter credentials again? Misagh ________________________________________ From: "Corin Lawson" <[email protected]> To: [email protected] Cc: [email protected], [email protected], [email protected], [email protected] Sent: Sunday, December 22, 2013 3:35:08 PM Subject: Re: [cas-user] Strange bug with JSESSIONID No, there is no load balancer... On Thursday, December 19, 2013 7:47:52 PM UTC+11, Misagh Moayyed wrote: Are your CAS nodes behind a load balancer? Is it configured to do sticky sessions? What is the length of its "timeout" period? Misagh ________________________________________ From: "Corin Lawson" <[email protected]> To: [email protected] Cc: [email protected], [email protected], [email protected] Sent: Wednesday, December 18, 2013 11:23:41 PM Subject: Re: [cas-user] Strange bug with JSESSIONID Hi, I am facing these same symptoms (i.e. you have to put your username and password twice). I have tried both suggestions here (changing tracking-mode and/or removing the page session in top.jsp) but to no avail. The only solution I have is to clear my browser cache, which is no solution at all. I am using CAS version 3.5.2, Jetty 9.1.0 and Java 1.7.0_45 on Ubuntu 10.04.4 (lucid). Please help! Cheers, Corin. On Thursday, June 27, 2013 11:33:11 PM UTC+10, Russ Baker wrote: We had this exact same problem and this issues was discussed previously on another blog. It boiled down to an entry in “WEB-INF/view/jsp/default/ui/includes/top.jsp” where the session was being created each time. In top.jsp, there is a directive “<%@ page session="true" %>”. Change that to false or completely remove it and that should solve it. From: Mahmudul Hasan [mailto:[email protected]] Sent: Wednesday, June 26, 2013 5:38 PM To: [email protected] Subject: [cas-user] Strange bug with JSESSIONID Hi Everyone, I am facing this strange bug regarding JSESSIONID. The symptom is that you have to put your username and password twice, where one login attempt works but the other one does not. 1. When I try to login to CAS and there is no existing JSESSIONID, the login works. 2. But if I have a pre-existing JSESSIONID, then login attempt is responded by a 302 redirect with a SET-Cookie header. With the new JSESSIONID second login attempt works until we logout. It is making me believe that for some reason, CAS cannot access the JSESSIONID. I have also verfied that this error is related to session variables by using URLS instead of cookies for session management. If I set <session-config> <!-- Default to 5 minute session timeouts --> <session-timeout>5</session-timeout> <tracking-mode>URL</tracking-mode> </session-config> in my web.xml to force to pass JSESSIONID as part of URL, then the login works without any error. I am using CAS version 3.5.2, Apache Tomcat 7.0.37 and Java 1.7 on Debian Linux. Has anyone faced an issue like this ? Thanks, Mahmudul Hasan System Engineer, University of Lethbridge. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
