On Mon, 10 Mar 2014, Richard Frovarp wrote:
On 03/10/2014 06:52 AM, Adam Causey wrote:
I was curious if there is a requirement (or if it is highly
recommended) that clients using CAS/SSO be encrypted with an SSL
certificate (i.e. https). Since CAS does the authentication piece, is
there still a need to require SSL on the clients?
The one part of the equation that I see as a risk is someone
intercepting the ticket URL parameter and then posing as the client to
pull back the attribute XML on the validate call. Or is the ticket
parameter so short-lived that this is not a concern?
-Adam
SSL with Secure Only cookies is the only way to protect the session on
the client. See the Cookie Monster.
Yeah... If you are not using SSL, why bother authenticating at all?
Anyone who can sniff your network traffic can impersonate you. :)
Andy
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
