yeah, I saw that. unfortunately that isn't enough information for me to explain to the management/web programmers that just want us to remove it.
On Monday, November 3, 2014 11:01:20 AM UTC-5, Waldbieser, Carl wrote: > > > From the protocol spec [1]: > > "Its purpose is to prevent the replaying of credentials due to bugs in > web browsers." > > [1] > https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md#35-login-ticket > > > Thanks, > Carl Waldbieser > ITS System PRogrammer > Lafayette College > > ----- Original Message ----- > From: "Rex Roof" <[email protected] <javascript:>> > To: [email protected] <javascript:> > Cc: [email protected] <javascript:>, [email protected] > <javascript:> > Sent: Monday, November 3, 2014 10:43:53 AM > Subject: Re: [cas-user] loginToken expiration > > The javascript thing is what I'm working on. > > I still need to know the answers to the two other questions, though, and > maybe my googlefu sucks but I'm coming up short searching the archives: > > What is this the timeout currently set to? can I change it? > > What is the security reason for this loginTicket in the first place? > > > > On Friday, October 31, 2014 5:39:37 AM UTC-4, Jérôme LELEU wrote: > > > > Hi, > > > > It is somehow a well-known problem. The loginToken as well as the > webflow > > more generally, relies on the web session. And when it expires, indeed > 'bad > > things' happen. > > About solutions, there have been already several discussions about this > > topic. A really easy solution is to reload your login page using > Javascript > > before the expiration occurs. A more promising one, built by Marvin and > > Misagh, is to store the webflow on the client side. I hope it will be > > available for CAS server version 4.1. > > Best regards, > > Jérôme > > Le 30 oct. 2014 19:15, "Rex Roof" <[email protected] <javascript:>> a > > écrit : > > > >> I'm using cas-3.5.2 and I'm noticing an oversight regarding the > >> loginToken that is used on the login page. > >> > >> We have a workflow that ends up with users timing out of an application > >> and having a page reloaded to our CAS login page. If they let this > page > >> sit for an amount of time and they attempt to log in they are > redirected to > >> the login page again without any error presented. > >> > >> Is there an error for when the loginToken has expired? Can I add one? > >> > >> What is the timeout for the loginToken? is it configurable. > >> > >> > >> Is there a plaintext reason for why the loginToken exists that I can > >> present to our vested users (aka management? ) > >> > >> > >> > >> - Rex Roof > >> WCC Systems Engineer <[email protected] <javascript:>> > >> > >> -- > >> You are currently subscribed to [email protected] <javascript:> > as: [email protected] <javascript:> > >> To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > >> > >> -- > > You are currently subscribed to [email protected] <javascript:> > as: [email protected] <javascript:> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
