On 10/22/2014 08:25 AM, Adam Causey wrote:
I would like some feedback on how others handle services that are
non-https (i.e. http://). Do most of you allow or disallow this?
Currently we allow non-SSL sites for some services, but are considering
requiring https for everything except locahost for developers.
How much of a security concern is this? The only thought I have is that
the Service Ticket could potentially be sniffed and used, even though
there is only a 10 second window to use the ticket.
Thanks!
We don't allow it. If the site isn't protected by HTTPS, it might as
well not be protected at all. After the service ticket comes a session
cookie from the service. If that is transmitted over HTTP, that can be
sniffed and used at any point. Just put everything behind HTTPS.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
