> is that how it is supposed to work? Yes.
CAS is an authenticated session broker, not a session management system. It is intended for use as the trusted intermediary whereby you at your browser bootstrap an authentication to some untrustworthy application on the web. (The application may or may not be reputable, but the point is that you don't have to trust them because you both trust CAS.) On receipt of that first valid service ticket, the application should use its own session management mechanism to recognize this authenticated session on future requests. This typically involves issuing a session cookie. The application should be vended over https:// and so the cookie should be secure if the application actually cares about security. If it doesn't mind your session being hijacked, then it's not clear why it's using CAS in the first place since no amount of CAS can actually make the application secure at that point, but at least end user passwords aren't being sent in the clear. If you're using a CAS client library, it typically automates accomplishing this session bootstrapping in some platform appropriate way. See e.g. the Yale CAS Filter, which fairly succinctly sums up what a CAS client must do. It detects tickets and when it sees ticket parameters attempts to validate them establishing an authenticated session. When there's no ticket, it checks that the session is already authenticated. When there's no ticket and no session, it redirects to CAS so that a ticket can be acquired which will then lead it to create an authenticated session. > I just to make sure that CAS is actually acting > as an intermediary to every request of a protected > page and that all my pages are indeed protected.... While in theory you could do this it is not recommended. This creates needless load on your CAS server. It also typically fails to support form posting, since most (all?) CAS clients today will remember and honor URL query parameters (GET) but will not remember form POSTS on return from CAS. Andrew Petro Academus Development Lead Unicon, Inc. ________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of tedzo Sent: Monday, January 22, 2007 1:33 PM To: Yale CAS mailing list Subject: Only 1 ticket per login? Ok, this is probably a dumb question- The first time I try to access one of the CAS protected JSPs, I am asked to login to CAS and I get back a ticket. However, subsequent access to other CAS protected pages take me directly to the page (as expected) but no ticket is being returned. My question is- is that how it is supposed to work? The ticket is returned only the first time and not afterwards? I just to make sure that CAS is actually acting as an intermediary to every request of a protected page and that all my pages are indeed protected.... Thanks, Ray. ________________________________________ Now that's room service! Choose from over 150,000 hotels in 45,000 destinations on Yahoo! Travel to find your fit. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
