Hi there, A colleague tried an experiment with our CAS that returned a surprizing result.
1. Browse to CAS https://cas.trimble.com/cas/login The CAS login page is displayed and the response included: Set-Cookie: JSESSIONID=C3DE37759B69F4A018F7EC79DAB2ABC7; Path=/cas; Secure 2. Login (using the out-of-the-box password equals username auth backend) A pleasant green "Login Successful" is displayed and we get a CASTGC: Set-Cookie: CASTGC=TGT-13-dACeQGE4BV4ObzNmRGfHwSizSAcgTANJVR5-50; Path=/cas; Secure 3. My colleague with the devious mind used the cookie editing facility of the firefox Web Developer extension (http://chrispederick.com/work/web-developer/) to change the value of CASTGC to "dodgy" 4. We browsed to https://cas.trimble.com/cas/login again, expecting to be presented with the login page due to our "dodgy" CASTGC. But no, we get "login successful" again!! GET /cas/login HTTP/1.1 Host: cas.trimble.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai n;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: JSESSIONID=C3DE37759B69F4A018F7EC79DAB2ABC7; CASTGC=dodgy HTTP/1.x 200 OK Date: Wed, 26 Sep 2007 05:00:16 GMT Pragma: No-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache, no-store Content-Type: text/html;charset=UTF-8 Content-Language: en-US Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 788 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Why are we still (seemingly) logged in to CAS after we munged the CASTGC!?! This is with the 3.1 CAS server by the way. -- Dale Ogilvie Senior Software Engineer Trimble Navigation NZ Ltd P O Box 8729 Riccarton Christchurch Ph: +64 3 9635344 Fax: +64 3 9635317 _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
