Re: [cas-user] Prevent users bookmarking and sharing URLs containing CAS ticket

[Rob Pumphrey]

Excellent, thank you. Our ST expiration lifetime is too long.


On Friday, 4 March 2022 at 12:20:13 UTC petr.f...@gmail.com wrote:

> Hello,
> I think you should look into TGT/ST expiration and validation policies 
> https://apereo.github.io/cas/6.4.x/ticketing/Configuring-Ticket-Expiration-Policy.html
>  
> .
> For example, setting
>
> cas.ticket.st.number-of-uses=1
>
> will make CAS invalidate the service ticket after one validation attempt. 
> Subsequent validations will fail.
> This might be your server-side mitigation. Setting can be also defined 
> per-service.
>
> You need to take special care sometimes, as some JS applications, with 
> their asynchronous requests, might make more than one validation attempt.
> We even seen differences between browsers... FF and Safari were fine with 
> one validation, IE needed a limit of 20 validations to work correctly. Root 
> cause of this was in the particular application, so YMMV.
>
> Cheers,
> Fiisch
>
>
> On 03/04/2022 12:02 PM, Rob Pumphrey wrote:
>
> Hi,
> We have had a user complain about the behaviour of an application 
> protected by CAS single sign on. 
>
> The user Alice has logged into the application via the CAS login page, 
> then pressed back on their browser and bookmarked the URL with 
> https://example.com/?ticket=ST-344-adfafff..
> Alice has then shared that URL with another person, Bob.
> Bob navigates to the link supplied by Alice and is now logged into the 
> application as Alice. This is a surprise to Alice and Bob.
>
> Is there any way to help prevent users bookmarking URLs containing the 
> ticket?
> Is there any way to prevent Bob logging in as Alice with the URL with 
> Alice's ticket?
>
> We currently are thinking that we have to educate users not to bookmark 
> the URLs that have the ticket parameter, but that seems a bit weak.
>
> Any suggestions or insight would be welcome.
> Thanks in advance.
> Rob
>
> -- 
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> --- 
> You received this message because you are subscribed to the Google Groups 
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to cas-user+u...@apereo.org.
> To view this discussion on the web visit 
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1a5bf3d-e7cc-4065-8f14-ece00e261af3n%40apereo.org
>  
> 
> .
>
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ad621aa0-b3af-4222-ad08-29cdcc73dc8an%40apereo.org.

Re: [cas-user] Prevent users bookmarking and sharing URLs containing CAS ticket

[Petr Fišer]

Hello,
I think you should look into TGT/ST expiration and validation policies 
https://apereo.github.io/cas/6.4.x/ticketing/Configuring-Ticket-Expiration-Policy.html 
.

For example, setting

cas.ticket.st.number-of-uses=1

will make CAS invalidate the service ticket after one validation 
attempt. Subsequent validations will fail.
This might be your server-side mitigation. Setting can be also defined 
per-service.


You need to take special care sometimes, as some JS applications, with 
their asynchronous requests, might make more than one validation attempt.
We even seen differences between browsers... FF and Safari were fine 
with one validation, IE needed a limit of 20 validations to work 
correctly. Root cause of this was in the particular application, so YMMV.


Cheers,
Fiisch

On 03/04/2022 12:02 PM, Rob Pumphrey wrote:

Hi,
We have had a user complain about the behaviour of an application 
protected by CAS single sign on.


The user Alice has logged into the application via the CAS login page, 
then pressed back on their browser and bookmarked the URL with 
https://example.com/?ticket=ST-344-adfafff..

Alice has then shared that URL with another person, Bob.
Bob navigates to the link supplied by Alice and is now logged into the 
application as Alice. This is a surprise to Alice and Bob.


Is there any way to help prevent users bookmarking URLs containing the 
ticket?
Is there any way to prevent Bob logging in as Alice with the URL with 
Alice's ticket?


We currently are thinking that we have to educate users not to 
bookmark the URLs that have the ticket parameter, but that seems a bit 
weak.


Any suggestions or insight would be welcome.
Thanks in advance.
Rob

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org 
.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1a5bf3d-e7cc-4065-8f14-ece00e261af3n%40apereo.org 
.


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/82866bd3-6772-c82d-1ee5-b4ef98d07f54%40gmail.com.

Re: [cas-user] Prevent users bookmarking and sharing URLs containing CAS ticket

[Carl Waldbieser]

The lifetime of a service ticket is usually set pretty short-- 15 or 20
seconds max.  Alice needs to leak her ST within that timeframe for it to be
valid, or else Bob should get an invalid ticket error at the client.

You may want to examine the ST lifetime and shorten it.

Thanks,
Carl Waldbieser


On Fri, Mar 4, 2022, 6:36 AM Rob Pumphrey  wrote:

> Hi,
> We have had a user complain about the behaviour of an application
> protected by CAS single sign on.
>
> The user Alice has logged into the application via the CAS login page,
> then pressed back on their browser and bookmarked the URL with
> https://example.com/?ticket=ST-344-adfafff..
> Alice has then shared that URL with another person, Bob.
> Bob navigates to the link supplied by Alice and is now logged into the
> application as Alice. This is a surprise to Alice and Bob.
>
> Is there any way to help prevent users bookmarking URLs containing the
> ticket?
> Is there any way to prevent Bob logging in as Alice with the URL with
> Alice's ticket?
>
> We currently are thinking that we have to educate users not to bookmark
> the URLs that have the ticket parameter, but that seems a bit weak.
>
> Any suggestions or insight would be welcome.
> Thanks in advance.
> Rob
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1a5bf3d-e7cc-4065-8f14-ece00e261af3n%40apereo.org
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbO1TyaoUhw%2BcNx3%3DvJ6V_YE2TkB%3DHecW%2B%2BvbCW%2BwuG-Dw%40mail.gmail.com.

[cas-user] Prevent users bookmarking and sharing URLs containing CAS ticket

[Rob Pumphrey]

Hi,
We have had a user complain about the behaviour of an application protected 
by CAS single sign on. 

The user Alice has logged into the application via the CAS login page, then 
pressed back on their browser and bookmarked the URL with 
https://example.com/?ticket=ST-344-adfafff..
Alice has then shared that URL with another person, Bob.
Bob navigates to the link supplied by Alice and is now logged into the 
application as Alice. This is a surprise to Alice and Bob.

Is there any way to help prevent users bookmarking URLs containing the 
ticket?
Is there any way to prevent Bob logging in as Alice with the URL with 
Alice's ticket?

We currently are thinking that we have to educate users not to bookmark the 
URLs that have the ticket parameter, but that seems a bit weak.

Any suggestions or insight would be welcome.
Thanks in advance.
Rob

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1a5bf3d-e7cc-4065-8f14-ece00e261af3n%40apereo.org.