Hello,
I think you should look into TGT/ST expiration and validation policies
https://apereo.github.io/cas/6.4.x/ticketing/Configuring-Ticket-Expiration-Policy.html
.
For example, setting
cas.ticket.st.number-of-uses=1
will make CAS invalidate the service ticket after one validation
attempt. Subsequent validations will fail.
This might be your server-side mitigation. Setting can be also defined
per-service.
You need to take special care sometimes, as some JS applications, with
their asynchronous requests, might make more than one validation attempt.
We even seen differences between browsers... FF and Safari were fine
with one validation, IE needed a limit of 20 validations to work
correctly. Root cause of this was in the particular application, so YMMV.
Cheers,
Fiisch
On 03/04/2022 12:02 PM, Rob Pumphrey wrote:
Hi,
We have had a user complain about the behaviour of an application
protected by CAS single sign on.
The user Alice has logged into the application via the CAS login page,
then pressed back on their browser and bookmarked the URL with
https://example.com/?ticket=ST-344-adfafff......
Alice has then shared that URL with another person, Bob.
Bob navigates to the link supplied by Alice and is now logged into the
application as Alice. This is a surprise to Alice and Bob.
Is there any way to help prevent users bookmarking URLs containing the
ticket?
Is there any way to prevent Bob logging in as Alice with the URL with
Alice's ticket?
We currently are thinking that we have to educate users not to
bookmark the URLs that have the ticket parameter, but that seems a bit
weak.
Any suggestions or insight would be welcome.
Thanks in advance.
Rob
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1a5bf3d-e7cc-4065-8f14-ece00e261af3n%40apereo.org
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1a5bf3d-e7cc-4065-8f14-ece00e261af3n%40apereo.org?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/82866bd3-6772-c82d-1ee5-b4ef98d07f54%40gmail.com.
