Thanks for the comments. The CAS admin prior to me had a few clients setup that indicate they are using http (not https).
thanks! On Mon, Mar 10, 2014 at 1:42 PM, Andrew Morgan <[email protected]> wrote: > On Mon, 10 Mar 2014, Richard Frovarp wrote: > > On 03/10/2014 06:52 AM, Adam Causey wrote: >> >>> I was curious if there is a requirement (or if it is highly >>> recommended) that clients using CAS/SSO be encrypted with an SSL >>> certificate (i.e. https). Since CAS does the authentication piece, is >>> there still a need to require SSL on the clients? >>> >>> The one part of the equation that I see as a risk is someone >>> intercepting the ticket URL parameter and then posing as the client to >>> pull back the attribute XML on the validate call. Or is the ticket >>> parameter so short-lived that this is not a concern? >>> >>> -Adam >>> >>> >> SSL with Secure Only cookies is the only way to protect the session on >> the client. See the Cookie Monster. >> > > Yeah... If you are not using SSL, why bother authenticating at all? > Anyone who can sniff your network traffic can impersonate you. :) > > Andy > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
