you are right, but if an attacker use a different session in every authentication request, for CAS is a diferent user who is trying to authenticate or not ?, so I think that this case is bussiness of a superior check like a filter that count the bad authentication request of that IP address and denied request from blocked IP address to keep safe CAS from brute force.
<<winmail.dat>>
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
