Re: CAS as authenticated session broker

Wed, 17 Jan 2007 03:27:26 -0800 

Thanks Andrew,

When the Initial authentication is successful and after user establish the
session with CAS, Does the Service Ticket go as s Cookie in subsequent
requests or Should I make a programming effort to distinguish based on the
session ID whether this is a new or subsequent request, Then what about the
security e.g session hijacking

Well...think am doing something like mod_cas using perl on apache 2.2 with
mod_perl 2.0.

How does the mod_cas store this information (to check whether first or
subsequent requests?)


Thanks





Andrew Petro-3 wrote:
> 
> Hi,
> 
> I'm not sure in what context you are implementing the logic you describe,
> but:
> CAS should be used as an authenticated session broker, not as an
> intermediary for every request.  So the logic is:
> 
> If (request has ticket) {
> Validate ticket and create authenticated application session
> } else if (request does not have ticket && user does not already have
> session) {
>   redirect to CAS login page with service
> } else {
> Redirect to CAS login servlet
> }
> 
> Your application should use the service ticket as a basis to establish an
> application session (typically mediated by a session cookie) which it uses
> to recognize the user on subsequent requests, rather than requiring each
> page access to bounce through CAS to include a ticket parameter.
> 
> Andrew
> 
>> 2) Just want to know When the initial Authentication is successful
>> (serviceValidate) How can we make sure subsequent requests would not go
>> and
>> do the serviceValidate.
>> 
>>      My basic logic is
>>         if (request does not have ticket) {
>>           redirect to cas login page with service
>>         }
>> 
>> 
>> What happens currently is it ask for the password once and hits the CAS
>> server and CAS generate ticket each time. to my understanding one (ST)
>> ticket should be enough  for that httpd session.
>> 
>> 
> 
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
> 
> 

-- 
View this message in context: 
http://www.nabble.com/CAS-Client-doubts-tf3025300.html#a8408459
Sent from the CAS Users mailing list archive at Nabble.com.

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to