Excellent, thank you. Our ST expiration lifetime is too long.
On Friday, 4 March 2022 at 12:20:13 UTC [email protected] wrote: > Hello, > I think you should look into TGT/ST expiration and validation policies > https://apereo.github.io/cas/6.4.x/ticketing/Configuring-Ticket-Expiration-Policy.html > > . > For example, setting > > cas.ticket.st.number-of-uses=1 > > will make CAS invalidate the service ticket after one validation attempt. > Subsequent validations will fail. > This might be your server-side mitigation. Setting can be also defined > per-service. > > You need to take special care sometimes, as some JS applications, with > their asynchronous requests, might make more than one validation attempt. > We even seen differences between browsers... FF and Safari were fine with > one validation, IE needed a limit of 20 validations to work correctly. Root > cause of this was in the particular application, so YMMV. > > Cheers, > Fiisch > > > On 03/04/2022 12:02 PM, Rob Pumphrey wrote: > > Hi, > We have had a user complain about the behaviour of an application > protected by CAS single sign on. > > The user Alice has logged into the application via the CAS login page, > then pressed back on their browser and bookmarked the URL with > https://example.com/?ticket=ST-344-adfafff...... > Alice has then shared that URL with another person, Bob. > Bob navigates to the link supplied by Alice and is now logged into the > application as Alice. This is a surprise to Alice and Bob. > > Is there any way to help prevent users bookmarking URLs containing the > ticket? > Is there any way to prevent Bob logging in as Alice with the URL with > Alice's ticket? > > We currently are thinking that we have to educate users not to bookmark > the URLs that have the ticket parameter, but that seems a bit weak. > > Any suggestions or insight would be welcome. > Thanks in advance. > Rob > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1a5bf3d-e7cc-4065-8f14-ece00e261af3n%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1a5bf3d-e7cc-4065-8f14-ece00e261af3n%40apereo.org?utm_medium=email&utm_source=footer> > . > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ad621aa0-b3af-4222-ad08-29cdcc73dc8an%40apereo.org.
