Its actually not surprising. You're not presented with the login screen if you already have an existing TGT cookie. You'll find though that if you tried to access a service after you modified the cookie it wouldn't work as there is no matching TGT when CAS attempts to grant a service ticket. At that point you would be prompted to log in again.
-Scott On 9/26/07, Dale Ogilvie <[EMAIL PROTECTED]> wrote: > > Hi there, > > A colleague tried an experiment with our CAS that returned a surprizing > result. > > 1. Browse to CAS https://cas.trimble.com/cas/login > > The CAS login page is displayed and the response included: > > Set-Cookie: JSESSIONID=C3DE37759B69F4A018F7EC79DAB2ABC7; Path=/cas; > Secure > > 2. Login (using the out-of-the-box password equals username auth > backend) > > A pleasant green "Login Successful" is displayed and we get a CASTGC: > > Set-Cookie: CASTGC=TGT-13-dACeQGE4BV4ObzNmRGfHwSizSAcgTANJVR5-50; > Path=/cas; Secure > > 3. My colleague with the devious mind used the cookie editing facility > of the firefox Web Developer extension > (http://chrispederick.com/work/web-developer/) to change the value of > CASTGC to "dodgy" > > 4. We browsed to https://cas.trimble.com/cas/login again, expecting to > be presented with the login page due to our "dodgy" CASTGC. > > But no, we get "login successful" again!! > > GET /cas/login HTTP/1.1 > Host: cas.trimble.com > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) > Gecko/20070914 Firefox/2.0.0.7 > Accept: > text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plai > n;q=0.8,image/png,*/*;q=0.5 > Accept-Language: en-us,en;q=0.5 > Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Cookie: JSESSIONID=C3DE37759B69F4A018F7EC79DAB2ABC7; CASTGC=dodgy > > HTTP/1.x 200 OK > Date: Wed, 26 Sep 2007 05:00:16 GMT > Pragma: No-cache > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Cache-Control: no-cache, no-store > Content-Type: text/html;charset=UTF-8 > Content-Language: en-US > Vary: Accept-Encoding > Content-Encoding: gzip > Content-Length: 788 > Keep-Alive: timeout=5, max=100 > Connection: Keep-Alive > > Why are we still (seemingly) logged in to CAS after we munged the > CASTGC!?! > > This is with the 3.1 CAS server by the way. > > -- > Dale Ogilvie > Senior Software Engineer > Trimble Navigation NZ Ltd > P O Box 8729 > Riccarton > Christchurch > Ph: +64 3 9635344 > Fax: +64 3 9635317 > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
