As far as CSRF on the cas server login page the login ticket called lt in the jsp is a randomly generated synchronizer token submitted with the login form that prevents CSRF. This is a OWASP recommended solution for dealing with CSRF, see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet.
The Service Ticket, as Carl said, is a one time use ticket that is very short lived. Since it's one time use it's not vulnerable to a replay. A man in the middle theoretically could steal the ST. The risk can be reduced by using an appropriate service ticket expiration time, and only allowing encrypted communications between cas server and application, etc. CAS has put a great deal of thought into possible security risks and mitigations. You might be interested in some of the details on the wiki. https://wiki.jasig.org/display/CAS/CAS+Threat+Modeling https://wiki.jasig.org/display/CAS/Proposals+to+mitigate+security+risks Nancy ________________________________________ From: Waldbieser, Carl [[email protected]] Sent: Monday, February 09, 2015 8:33 AM To: [email protected] Subject: Re: [cas-user] How does CAS perform Sessioln Management? Prasad, 1. CAS uses a Ticket Granting cookie (TGC) to track the TGT issued during authentication. 2. CAS does not specifically protect from these attacks. However, if you are using TLS as the transport layer for your services, that protects againast MITM and replay attacks. Cross Site Request Forgery protection is something each service provider must provide for itself where applicable. 3. A TGT is a long-lived ticket that allows you to request service tickets for specific services from CAS without having to re-present primary credentials. A service ticket (ST) is a short-lived, one time use ticket that a service provider validates with CAS in order to authenticate the user. It is kind of like: user: CAS, please give me a one-time ST good for service "foo". CAS : You don't have a TGT, so please provide me with credentials. user: Here is my username and password. CAS : Looks good. Here is a TGT that is good for 8 hours. You can use that next time instead of having to type in your credentials. Also, here is the ST you asked for. It is only good for 10 seconds. user: Service "foo", here is a service ticket that identifies me. foo : CAS, I received this ST-- could you validate it please? CAS : This ST is good. It is for user "jdoe". foo : User "jdoe", welcome to the "foo" service! Thanks, Carl Waldbieser ITS System Programmer Lafayette College ----- Original Message ----- From: "Durga Prasad" <[email protected]> To: [email protected] Sent: Sunday, February 8, 2015 10:35:43 AM Subject: [cas-user] How does CAS perform Sessioln Management? Hi Folks, I have few doubts on CAS. 1. How does CAS maintain session between multiple aplications? 2. How CAS is secure from Man in the middle attack & Replay, CSRF attacks? 3. What is the differene between TGT & service ticket? Kindly clarify my doubts. Thanks in adavnce. Regards Prasad -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
