Hello,
I totally agree with you. I see it a problem, more so when applications
are often developed with frameworks that have these basic bugs.
I would suggest that CAS developers use information from the client's
environment (eg source ip, browser type, etc.) that will associate TGT
in
Hello,
By default, TGC cookie does _not_ have HttpOnly. If the app. (using CAS
for authentication) has XSS vulnerability, someone could inject JS and read
TGC cookie and submit to CAS server, even though it is encrypted and
signed, CAS server will not know this TGC cookie is from an attacker.