Re: [cas-user] CAS SSO User logged in as another user

[Ray Bon]

Juan,

The session id is managed by tomcat. If this happened once, then it could be 
chalked up to coincidence. But that does not sound like the case.
You might try tomcat forums.
In the mean time you could try changing jsessionid to something else 
(jsessionidcas) to avoid potential conflicts with other tomcat sessions. (All 
CAS servers in the cluster need the same setting.)
It can be set in application's web.xml or in tomcat, see 
https://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Common_Attributes.

Ray

On Tue, 2018-09-04 at 20:48 +, Juan Quintanilla wrote:

Hi,


We recently encountered an interesting issue with our CAS Implementation, in a 
few rare cases we have had some users report when logging into a client 
application (Canvas) they were logged in as another user  In brief User A 
attempts to login with auto saved password and user B was also logging in 
around same time as user A.  When user A is logged in they see Users B 
information.


After taking a look at the audit logs we noticed that when User A was logging 
in there was no Login entry they were given a Service ticket with their IP and 
user B username as if they had already authenticated. User B we did see the 
login authentication and ST and TGT ticket created under their IP, but we later 
saw that the TGT was destroyed under user A ip.  Also looking in the access 
logs I found that for this particular case the 2 users had the same JSESSIONID.


99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] 
"GET /cas/login?service=https%3A%2F%2Ffiu.instructure.com%2Flogin%2Fcas 
HTTP/1.1" 200 5830
99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] 
"GET /cas/themes/olcanvas1/app.js HTTP/1.1" 200 526
99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] 
"GET /cas/themes/olcanvas1/cas.css HTTP/1.1" 200 8796
99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] 
"GET /cas/themes/olcanvas1/images/fiu_logo.png HTTP/1.1" 200 12186
99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:28 -0400] 
"GET /cas/favicon.ico;jsessionid=0C6DC0B7927A4024EFA762D90E1BCF69 HTTP/1.1" 200 
3262



c-98-254-138-84.hsd1.fl.comcast.net - - [02/Sep/2018:12:20:30 -0400] "POST 
/cas/login;jsessionid=0C6DC0B7927A4024EFA762D90E1BCF69?service=https%3A%2F%2Ffiu.instructure.com%2Flogin%2Fcas
 HTTP/1.1" 302 -
- - - [31/Dec/1969:18:59:59 -0500] "-" 505 -



So my question would be what might cause this to happen? Could the fact that 
they had the same jsessionid cause the use to login as the other user?





___
Juan Quintanilla
jquin...@fiu.edu


--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | r...@uvic.ca

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1536255620.2801.9.camel%40uvic.ca.

[cas-user] CAS SSO User logged in as another user

[Andrew Marker]

We had a similar issue with a service that was behind a load balancer. I 
Benito@Unicon helped to identify the issue. The IP address of the client is 
used in the generation of the session ID. Once our service went to producion 
the volume of requests was great and the pool of IDs was limited by the 
narrowed pool. So randomly, two users would use one session.

I don't know if that is the problem here, but, it is a great cautionary tale of 
not...

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/58f150cf-73a3-475f-9a85-ea9b5724f8ca%40apereo.org.

[cas-user] CAS SSO User logged in as another user

[Juan Quintanilla]

Hi,


We are running CAS 3.6 with tomcat 8 and in some instances when 2 users are 
logging in user A is logged in as User B on the client application. So the 
session information for the first user ends up being used.


We noticed that in the tomcat access logs both users shared the same 
Jsessionid. It appears that a unique Jsessionid was not generated for the 
second user when they arrived on the login page.


Has anyone encountered a similar issue? If so any suggestions.


Thanks!



___
Juan Quintanilla
jquin...@fiu.edu



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/MWHPR05MB28148A5469C89AAF6F4B1DA786020%40MWHPR05MB2814.namprd05.prod.outlook.com.

[cas-user] CAS SSO User logged in as another user

[Juan Quintanilla]

Hi,


We recently encountered an interesting issue with our CAS Implementation, in a 
few rare cases we have had some users report when logging into a client 
application (Canvas) they were logged in as another user  In brief User A 
attempts to login with auto saved password and user B was also logging in 
around same time as user A.  When user A is logged in they see Users B 
information.


After taking a look at the audit logs we noticed that when User A was logging 
in there was no Login entry they were given a Service ticket with their IP and 
user B username as if they had already authenticated. User B we did see the 
login authentication and ST and TGT ticket created under their IP, but we later 
saw that the TGT was destroyed under user A ip.  Also looking in the access 
logs I found that for this particular case the 2 users had the same JSESSIONID.


99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] 
"GET /cas/login?service=https%3A%2F%2Ffiu.instructure.com%2Flogin%2Fcas 
HTTP/1.1" 200 5830
99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] 
"GET /cas/themes/olcanvas1/app.js HTTP/1.1" 200 526
99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] 
"GET /cas/themes/olcanvas1/cas.css HTTP/1.1" 200 8796
99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:27 -0400] 
"GET /cas/themes/olcanvas1/images/fiu_logo.png HTTP/1.1" 200 12186
99-109-76-128.lightspeed.miamfl.sbcglobal.net - - [02/Sep/2018:12:20:28 -0400] 
"GET /cas/favicon.ico;jsessionid=0C6DC0B7927A4024EFA762D90E1BCF69 HTTP/1.1" 200 
3262



c-98-254-138-84.hsd1.fl.comcast.net - - [02/Sep/2018:12:20:30 -0400] "POST 
/cas/login;jsessionid=0C6DC0B7927A4024EFA762D90E1BCF69?service=https%3A%2F%2Ffiu.instructure.com%2Flogin%2Fcas
 HTTP/1.1" 302 -
- - - [31/Dec/1969:18:59:59 -0500] "-" 505 -



So my question would be what might cause this to happen? Could the fact that 
they had the same jsessionid cause the use to login as the other user?





___
Juan Quintanilla
jquin...@fiu.edu

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY4PR05MB28077911DE2B218088B73AE286030%40CY4PR05MB2807.namprd05.prod.outlook.com.