David, If you please keep support questions to the General maillist, they will be answered promptly; develop list is for development purposes. I'm forwarding this onto the General list for discussion there.
With that being said, I'm trying to understand what you mean by "how session is handled using CAS". If you are referring to the Tomcat server-side session, then that should be a cookie such as JSESSIONID within your web browser. If you want to see this cookie easily, I suggest you use Firefox as it will readily show you cookies via the Tools Menubar > Options > Privacy Tab > Show Cookies. It is appalling that IE doesn't have support for showing cookies. When you are looking at your cookies, you should also see a cookie named CASTGC; this cookie holds your ticket granting ticket (TGT) which is used to verify that you are currently single signed on. This cookie should only be read by the CAS server; CAS clients should NEVER see this. HTH, A- On 7/28/08 7:49 AM, "David Whitehurst" <[EMAIL PROTECTED]> wrote: > I can't seem to determine how session is handled using CAS. I'm using > CAS on a state installation and I'm quite comfortable that the session > is well protected. I've tested favorites, url in another browser, > etc. but I don't see a cookie in c:\Documents and > Settings\dlwhitehurst\Cookies\ > > And, I'm not seeing any ids in the URL. And, I can't find hidden > fields. Can someone help me here. I'm trying to clearly understand > how this works and be sure that we're fully protected or at least > understand our risks. > > Thanks, > > David > _______________________________________________ > cas-dev mailing list > [EMAIL PROTECTED] > http://tp.its.yale.edu/mailman/listinfo/cas-dev -- Andrew R. Feller, Analyst Information Technology Services 200 Fred Frey Building Louisiana State University Baton Rouge, LA 70803 (225) 578-3737 (Office) (225) 578-6400 (Fax) _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
