On 03/10/2014 06:52 AM, Adam Causey wrote: > I was curious if there is a requirement (or if it is highly > recommended) that clients using CAS/SSO be encrypted with an SSL > certificate (i.e. https). Since CAS does the authentication piece, is > there still a need to require SSL on the clients? > > The one part of the equation that I see as a risk is someone > intercepting the ticket URL parameter and then posing as the client to > pull back the attribute XML on the validate call. Or is the ticket > parameter so short-lived that this is not a concern? > > -Adam >
SSL with Secure Only cookies is the only way to protect the session on the client. See the Cookie Monster. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
