>From the protocol spec [1]: "Its purpose is to prevent the replaying of credentials due to bugs in web browsers."
[1] https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md#35-login-ticket Thanks, Carl Waldbieser ITS System PRogrammer Lafayette College ----- Original Message ----- From: "Rex Roof" <[email protected]> To: [email protected] Cc: [email protected], [email protected] Sent: Monday, November 3, 2014 10:43:53 AM Subject: Re: [cas-user] loginToken expiration The javascript thing is what I'm working on. I still need to know the answers to the two other questions, though, and maybe my googlefu sucks but I'm coming up short searching the archives: What is this the timeout currently set to? can I change it? What is the security reason for this loginTicket in the first place? On Friday, October 31, 2014 5:39:37 AM UTC-4, Jérôme LELEU wrote: > > Hi, > > It is somehow a well-known problem. The loginToken as well as the webflow > more generally, relies on the web session. And when it expires, indeed 'bad > things' happen. > About solutions, there have been already several discussions about this > topic. A really easy solution is to reload your login page using Javascript > before the expiration occurs. A more promising one, built by Marvin and > Misagh, is to store the webflow on the client side. I hope it will be > available for CAS server version 4.1. > Best regards, > Jérôme > Le 30 oct. 2014 19:15, "Rex Roof" <[email protected] <javascript:>> a > écrit : > >> I'm using cas-3.5.2 and I'm noticing an oversight regarding the >> loginToken that is used on the login page. >> >> We have a workflow that ends up with users timing out of an application >> and having a page reloaded to our CAS login page. If they let this page >> sit for an amount of time and they attempt to log in they are redirected to >> the login page again without any error presented. >> >> Is there an error for when the loginToken has expired? Can I add one? >> >> What is the timeout for the loginToken? is it configurable. >> >> >> Is there a plaintext reason for why the loginToken exists that I can >> present to our vested users (aka management? ) >> >> >> >> - Rex Roof >> WCC Systems Engineer <[email protected] <javascript:>> >> >> -- >> You are currently subscribed to [email protected] <javascript:> as: >> [email protected] <javascript:> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
