Hi Ray, Is about cas 5.2.4 I can confirm that the tgc is persistent during browser restarts and not persistent when remember me is not checked. When remember me is not checked, the tgc in Chrome is marked as "until the browser session ends"
You are totally corect with your statement about remember me. But taken the more common example with fb. You log in once, then nobody will bother you ever again. Lol. You close the browser so then the conclusion is that the cookie remains there I can send you later some sshots to show you how the tgc is showing up there. I tested this scenario by connecting my laptop to my hotspot on my phone. The only subtle difference is that I needed to switch also my laptop running cas to that hotspot and also the client in my case the iPad. Otherwise these 2 devices are not be able to see each other. In the original scenario, only the client network will change, the server will be the same. So yeah I don't know. I have to determine first if this is only reproducible on iPad. This bling bling device is such a troublemaker in general On Thu, Dec 6, 2018, 02:18 Ray Bon <[email protected] wrote: > I am running CAS 5.2.7 and the TGC has session lifetime regardless of > 'Remember me'. If I close my browser, the TGC will be removed (firefox and > chrome). I could be wrong, but I understand 'Remember me' as a way of > providing an SSO session that is longer than the app session (not a way to > persist across browser shutdowns). When the app session ends, it goes back > to CAS where log in is automatic. > If the TGC is still present after you close your browser, it could be odd > browser behaviour. > > What version of CAS are you using? > > I have not been in a position to test switching networks, so can not > provide first hand experience in this regard. > > It is possible that the TGC is bound to an ip address. I have not looked > at the code for its creation. Perhaps a security measure to prevent two > different devices from using the same TGC. > > Ray > > On Thu, 2018-12-06 at 00:42 +0200, darKu wrote: > > Hi Ray, > > First of all thank you for your interest into this problem. > Remember me works. > > User logs in with remember me checked > Close browser, on windows I close Chrome from taskbar/taskmanager, since > chrome is working somehow in the backround. On iPad I close safari from > running apps > When I open up again Chrome and check the cookies just the TGC is present > since remember me was used, no app cookie as you stated out, app cookie > expired when the browser was closed, as well TGC will not be present if the > user didn't check remember me - the same thing you stated out. > Then I access the app. It works in both scenarios :pc and iPad > > However if I switch the network and I will be doing the same step then > instead I get redirected to the login form. > > So why in this case cas tgc doesn't get validated or sent? (maybe just the > iPad is the troublemaker not sending the tgc? ) as I said I was able to > reproduce it on my DEV. > I have to try in prod on my laptop and see if I switch on my laptop the > network will this work or not. > > Regarding your statement about app session. Hmmm that would be interesting > to try. Definitely here I have more control so I should be doing the app > session as long term authenticated > > > > > > On Wed, Dec 5, 2018, 20:02 Ray Bon <[email protected] wrote: > > Catalin, > > 'Remember me' is a CAS session option and has nothing to do with your app > session. Closing your browser and keeping the log in to your app means that > your app has a long term cookie that lives while your browser is closed. > The CAS TGC, by default, will expire if the browser is closed. If you > visit a new app you would have to log in again. > > If your apps require log in after a network change, that is an app config > issue. > > Are users closing the browser when switching networks? > > If you want to see 'Remember me' in action, after logging in to your app > and waiting the minimum CAS session time, delete your app's cookies (not > CAS cookies). When you revisit your app, you will be redirected to CAS and > log in will proceed automatically. > > > > On Wed, 2018-12-05 at 01:43 -0800, Catalin Dobrea wrote: > > Hi, > > We use CAS 5.2.4 to protect some of our web apps and have SSO over them. > > One of our clients complains about this scenario: > > - The user authenticates successfully, via "Remember me" option presented > on the login form offered by CAS. (I can confirm that this long term > authentication works, for e.g. I'm closing Chrome from memory and then when > visiting the app no login is required) > - The users of the client are pretty much in the move, so they access the > apps we offer (protected by CAS) from different places: mobile network, > different wifis. > - So they complain that when they change the network they are required to > authenticate again even though they checked before the "Remember me" option. > > So my questions are: > > - Is this long term authentication sensible to IP changes? > - How this can be bypassed? - I scrolled thorough cas.properties to see > anything that might tweak this scenario but I was unable to identify any of > those > - I was able to reproduce this problem locally on my dev env, by > switching networks, another important thing is that devices from which they > access our apps are iPADs with Safari iOS 12 or so. I used an iPad as well > when reproducing this scenario > Can this also be the cause? because sometimes is a nightmare doing > custom things for iOS. So, can it happen that the TGC is not being sent on > Safari iOS when the network changes? > > Any starting point, helping me to find a fix or at least an explanation if > this scenario is intended, would be really appreciated! > > Thanks > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1544032921.2944.71.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1544032921.2944.71.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > > -- > Ray Bon > Programmer analyst > Development Services, University Systems > 2507218831 | CLE 019 | [email protected] > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/1544055504.2944.90.camel%40uvic.ca > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1544055504.2944.90.camel%40uvic.ca?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAG6_%3DYBPEWWhYMfk8mSNjEFYO5UeN%3DEFt8jTbe_8FcCZSyK5HA%40mail.gmail.com.
