Robert, If you're using an "important" service (and I'll leave the definition of important up to your organization) then you should always access that application over SSL. If you've accessed the application over SSL, then the CAS ticket is not prone to a man-in-the-middle attack. You could however use the "I'm sitting at the computer and copied the url into another browser" attack which really isn't an attack since its just you putting the url into the browser.
If you access the service over standard HTTP, then everything is transmitted and plain text and you do run the risk that someone could intercept the ticket. We don't prevent you from using standard HTTP, but its not recommended for "important" services such as ones with financial or student data. Regardless if someone was able to obtain the service ticket and utilize it before the correct person did only that particular session for that particular application would be compromised. The SSO session as well as other applications would be safe. The CAS clients have no concept of associating a ticket with a session as tickets don't exist when the session was created. -Scott -Scott Battaglia PGP Public Key Id: 0x383733AA LinkedIn: http://www.linkedin.com/in/scottbattaglia On Mon, Aug 11, 2008 at 6:34 PM, Robert R <[EMAIL PROTECTED]> wrote: > I have a question about whether or not a CAS ticket can be > intercepted, and whether anyone thinks that is a problem. > > I am using the JavaClient 3.1. If a user navigates to > http://www.cas-protected-service.com/, the user is redirected to the > CAS log in page, and asked to log in. After the user is > authenticated, there ultimately is a browser redirect to the following > url: http://www.cas-protected-service.com/?ticket=ST-some-cas-ticket. > Now - if I intercept this URL before this ticket is validated, and > type it in on another browser with a different session, the new > browser is validating this ticket and allowing me access to the page > as the previously authenticated user. > > Is there something I am doing wrong, or is this the expected behavior? > Should the CAS client code check session cookies to make sure that > the same client is validating the ticket? > > My web.xml exactly follows that of the example in the wiki. I'm not > doing anything strange. > > Thanks in advance. > > Robert > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
