Prasad,
1. CAS uses a Ticket Granting cookie (TGC) to track the TGT issued during
authentication.
2. CAS does not specifically protect from these attacks. However, if you are
using TLS as the transport layer for your services, that protects againast MITM
and replay attacks. Cross Site Request Forgery protection is something each
service provider must provide for itself where applicable.
3. A TGT is a long-lived ticket that allows you to request service tickets for
specific services from CAS without having to re-present primary credentials. A
service ticket (ST) is a short-lived, one time use ticket that a service
provider validates with CAS in order to authenticate the user. It is kind of
like:
user: CAS, please give me a one-time ST good for service "foo".
CAS : You don't have a TGT, so please provide me with credentials.
user: Here is my username and password.
CAS : Looks good. Here is a TGT that is good for 8 hours.
You can use that next time instead of having to type in your
credentials.
Also, here is the ST you asked for. It is only good for 10 seconds.
user: Service "foo", here is a service ticket that identifies me.
foo : CAS, I received this ST-- could you validate it please?
CAS : This ST is good. It is for user "jdoe".
foo : User "jdoe", welcome to the "foo" service!
Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College
----- Original Message -----
From: "Durga Prasad" <[email protected]>
To: [email protected]
Sent: Sunday, February 8, 2015 10:35:43 AM
Subject: [cas-user] How does CAS perform Sessioln Management?
Hi Folks,
I have few doubts on CAS.
1. How does CAS maintain session between multiple aplications?
2. How CAS is secure from Man in the middle attack & Replay, CSRF attacks?
3. What is the differene between TGT & service ticket?
Kindly clarify my doubts.
Thanks in adavnce.
Regards
Prasad
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
