> I guess the designer's purpose is taking off the pressure of CAS > server, but it make security issue. Above code means the assertion is > always validate regardless the ST in ticket cache is expired or not > unless session is timeout. Another issue is the LogoutAction in CAS > server side should callback to invalidate the session. > > My proposal is put the ST in session and validate every time in order > to keep the security works.
You can only validate an ST once (normally), so you need to store something *else* (in session) to create a useful security context. The assertion is only stored (in the session) when the validation has succeeded. Since nobody else is supposed to be able to mess with the server-side-session this should not cause a security problem. [please correct me if I'm wrong] -- Velpi _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
