I have a question about whether or not a CAS ticket can be intercepted, and whether anyone thinks that is a problem.
I am using the JavaClient 3.1. If a user navigates to http://www.cas-protected-service.com/, the user is redirected to the CAS log in page, and asked to log in. After the user is authenticated, there ultimately is a browser redirect to the following url: http://www.cas-protected-service.com/?ticket=ST-some-cas-ticket. Now - if I intercept this URL before this ticket is validated, and type it in on another browser with a different session, the new browser is validating this ticket and allowing me access to the page as the previously authenticated user. Is there something I am doing wrong, or is this the expected behavior? Should the CAS client code check session cookies to make sure that the same client is validating the ticket? My web.xml exactly follows that of the example in the wiki. I'm not doing anything strange. Thanks in advance. Robert _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
