Hi Carl,

Superb explanation. Really articulated well.

Thanks much.

Regards,
Prasad

On Mon, Feb 9, 2015 at 10:33 PM, Waldbieser, Carl <[email protected]>
wrote:

> Prasad,
>
> 1. CAS uses a Ticket Granting cookie (TGC) to track the TGT issued during
> authentication.
> 2. CAS does not specifically protect from these attacks.  However, if you
> are using TLS as the transport layer for your services, that protects
> againast MITM and replay attacks.  Cross Site Request Forgery protection is
> something each service provider must provide for itself where applicable.
> 3. A TGT is a long-lived ticket that allows you to request service tickets
> for specific services from CAS without having to re-present primary
> credentials.  A service ticket (ST) is a short-lived, one time use ticket
> that a service provider validates with CAS in order to authenticate the
> user.  It is kind of like:
>
>   user:  CAS, please give me a one-time ST good for service "foo".
>   CAS : You don't have a TGT, so please provide me with credentials.
>   user: Here is my username and password.
>   CAS : Looks good.  Here is a TGT that is good for 8 hours.
>         You can use that next time instead of having to type in your
> credentials.
>         Also, here is the ST you asked for.  It is only good for 10
> seconds.
>   user: Service "foo", here is a service ticket that identifies me.
>   foo : CAS, I received this ST-- could you validate it please?
>   CAS : This ST is good.  It is for user "jdoe".
>   foo : User "jdoe", welcome to the "foo" service!
>
> Thanks,
> Carl Waldbieser
> ITS System Programmer
> Lafayette College
>
> ----- Original Message -----
> From: "Durga Prasad" <[email protected]>
> To: [email protected]
> Sent: Sunday, February 8, 2015 10:35:43 AM
> Subject: [cas-user] How does CAS perform Sessioln Management?
>
> Hi Folks,
>
> I have few doubts on CAS.
>
> 1. How does CAS maintain session between multiple aplications?
>
> 2. How CAS is secure from Man in the middle attack & Replay, CSRF attacks?
>
> 3. What is the differene between TGT & service ticket?
>
> Kindly clarify my doubts.
>
> Thanks in adavnce.
>
> Regards
> Prasad
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to