Well, if a user gets impatient and starts hitting the refresh button, they can log in multiple times. Each time they log in, they generate another TGT, which unfortunately will hang around for a long time until it expires. This can mess up any statistic tracking you are doing.
In theory, it does make it *marginally* harder to launch a DOS attack, since you need to request the LT and then present it with credentials. Without the LT, an attacker can make requests POSTing the credentials as fast as she can to fill up the CAS ticket store. Requiring the LT slows the attack down to the rate at which your CAS is willing to issue LTs. In practice, I think it was designed to keep users from accidentally logging in multiple times. Thanks, Carl ----- Original Message ----- From: "Rex Roof" <[email protected]> To: [email protected] Cc: [email protected], [email protected], [email protected] Sent: Tuesday, November 4, 2014 9:02:18 AM Subject: Re: [cas-user] loginToken expiration yeah, I saw that. unfortunately that isn't enough information for me to explain to the management/web programmers that just want us to remove it. On Monday, November 3, 2014 11:01:20 AM UTC-5, Waldbieser, Carl wrote: > > > From the protocol spec [1]: > > "Its purpose is to prevent the replaying of credentials due to bugs in > web browsers." > > [1] > https://github.com/Jasig/cas/blob/master/cas-server-protocol/3.0/cas_protocol_3_0.md#35-login-ticket > > > Thanks, > Carl Waldbieser > ITS System PRogrammer > Lafayette College > > ----- Original Message ----- > From: "Rex Roof" <[email protected] <javascript:>> > To: [email protected] <javascript:> > Cc: [email protected] <javascript:>, [email protected] > <javascript:> > Sent: Monday, November 3, 2014 10:43:53 AM > Subject: Re: [cas-user] loginToken expiration > > The javascript thing is what I'm working on. > > I still need to know the answers to the two other questions, though, and > maybe my googlefu sucks but I'm coming up short searching the archives: > > What is this the timeout currently set to? can I change it? > > What is the security reason for this loginTicket in the first place? > > > > On Friday, October 31, 2014 5:39:37 AM UTC-4, Jérôme LELEU wrote: > > > > Hi, > > > > It is somehow a well-known problem. The loginToken as well as the > webflow > > more generally, relies on the web session. And when it expires, indeed > 'bad > > things' happen. > > About solutions, there have been already several discussions about this > > topic. A really easy solution is to reload your login page using > Javascript > > before the expiration occurs. A more promising one, built by Marvin and > > Misagh, is to store the webflow on the client side. I hope it will be > > available for CAS server version 4.1. > > Best regards, > > Jérôme > > Le 30 oct. 2014 19:15, "Rex Roof" <[email protected] <javascript:>> a > > écrit : > > > >> I'm using cas-3.5.2 and I'm noticing an oversight regarding the > >> loginToken that is used on the login page. > >> > >> We have a workflow that ends up with users timing out of an application > >> and having a page reloaded to our CAS login page. If they let this > page > >> sit for an amount of time and they attempt to log in they are > redirected to > >> the login page again without any error presented. > >> > >> Is there an error for when the loginToken has expired? Can I add one? > >> > >> What is the timeout for the loginToken? is it configurable. > >> > >> > >> Is there a plaintext reason for why the loginToken exists that I can > >> present to our vested users (aka management? ) > >> > >> > >> > >> - Rex Roof > >> WCC Systems Engineer <[email protected] <javascript:>> > >> > >> -- > >> You are currently subscribed to [email protected] <javascript:> > as: [email protected] <javascript:> > >> To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > >> > >> -- > > You are currently subscribed to [email protected] <javascript:> > as: [email protected] <javascript:> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] <javascript:> as: > [email protected] <javascript:> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
