Just my 2 cents: after installing Tomcat 9.0.43 and CAS 6.3.2 we did not face the issue anymore (it’s been 2 years so far…)
De: Freedom K <[email protected]> Enviado el: martes, 3 de enero de 2023 11:37 Para: CAS Community <[email protected]> CC: [email protected] <[email protected]>; Andy Ng <[email protected]>; Florent Vallée <[email protected]>; jrautureau <[email protected]> Asunto: Re: [cas-user] Problem with CAS 6.2.6 I am also facing the same issue. I am using OKTA as authenticator so when I try to login and the browser redirects to okta login page, if I wait 2 minutes and then provide my credentials, then the JSESSION changes resulting in loosing the destination service and redirecting to cas default page. If I provide immediate the credentials, then there is no issue. I am using cas 5.2.9 and Tomcat/8.5.35 Do you recommend to upgrade tomcat? Can I do it by keeping the same cas version? On Sunday, March 28, 2021 at 6:20:58 PM UTC+3 [email protected] <mailto:[email protected]> wrote: Hi Andy, your idea of using the Chrome throttling, somehow led us to the idea of "could it be a Tomcat issue?". Then we tested with an embedded one we had and the issue did not occur, and it was a newer version. Next step was to update the older Tomcat and that's it! El domingo, 28 de marzo de 2021 a las 0:25:56 UTC-3, Andy Ng escribió: Hello, Nice to hear that the Chrome throttling idea leader to new discovery. It seems like this post might describe your issue: https://support.f5.com/csp/article/K85361055 It specifically said upgrading to at least 9.0.34 or above can solve the issue, so that's excluding your previous 9.0.33 which is possible why it have the issue. Cheers, Andy On Saturday, 27 March 2021 at 07:12:00 UTC+8 [email protected] <mailto:[email protected]> wrote: Finally after doing some research we updated the Tomcat from v9.0.33 to 9.0.43 and the issue seems to be solved. At least we tested with one particular user that was having this problem almost all the time, and with the Chrome throttling and we couldn't reproduce it again. El viernes, 26 de marzo de 2021 a las 11:27:15 UTC-3, Nicolás López escribió: Additional information: using the Chrome throttling, with a custom profile entering ANY value for the upload speed (even 100Mb) the issue can be reproduced. Can anybody please test if it happens under this scenario? El viernes, 26 de marzo de 2021 a las 10:19:48 UTC-3, Nicolás López escribió: If I use the 3G throttling in Chrome for log in I can reproduce the issue consistently...now what should I do with this information? :D Using firefox, even with the GPRS profile it logs in without any problem. With the throttling you can just set upload/download max speed and latency, it looks so wierd. El viernes, 26 de marzo de 2021 a las 7:01:39 UTC-3, Andy Ng escribió: Hi all, I think I also am running out of idea, let see if the following would help identify the issue: 1. Would it be your firewall blocking other browser but allow only Firefox? * You said using 4G will work but Wifi will not work. Usually company firewall only block Wifi and not 4G, so it is a possible issue 2. CAS server and client need to have communication between them, good to take a look see if that is ok 3. Would there be a special proxy in firefox that make it a different browser than Chrome / Edge * it is normal for me to forget to turn of proxy for Firefox after use, maybe it is the same issue as well 4. If network is involved, Chrome does have a Network speed throttle feature, which might or might not be helpful: 1. Open Chome, 2. Press F12, 3. Click on "No throttling" 4. Select Fast 3G or other type of throttling 5. Well.... Sometime this type of throttling will produced differnet result than using just using normal network speed browser. If nothing happen then oh well See if this would helps... Cheers, Andy On Friday, 26 March 2021 at 16:49:18 UTC+8 Florent Vallée wrote: Hello, We tried the 2 solutions but none worked. We don't have any issues if we're connected on wifi, we only have the issue with 4G connection (smartphone with 4G or on computer with 4G shared connection) We tried with version 6.1, 6.2 and 6.3. Any other ideas ? We are desperate. Regards, Florent _____ De: "Andy Ng" <[email protected] <mailto:[email protected]> > À: "CAS Community" <[email protected] <mailto:[email protected]> > Cc: "[email protected] <mailto:[email protected]> " <[email protected] <mailto:[email protected]> >, "jrautureau" <[email protected] <mailto:[email protected]> > Envoyé: Jeudi 25 Mars 2021 02:44:03 Objet: Re: [cas-user] Problem with CAS 6.2.6 Hi all, On our side we are using 6.2.x and in production, no such problem observed. We did implemented a customization multiple customization regarding cookies, which are: * Samesite = None * 3rd party cookie Since I cannot reproduce the issue now, if anybody is free please help try the following verification method to identify the issue: Note: Just throwing some idea out here, it might not work but I think worth some testing For Samesite=None: I made a post a while ago regarding this and the code needed for the fix, so not reposting again. For some additional reading what is samesite=None, and code to fix the issue, see this: https://www.chromium.org/updates/same-site/incompatible-clients For checking if this is indeed the issue, try the following (After enabled only visit trusted website, and rollback immediately is recommended): 1. Open Chrome: 2. Go to chrome://flags/ 3. Search "samesite" 4. Set all 3 items to "Disabled" 5. Restarts 6. Try to login again, see if issue is solve 7. Rememeber to go back to chrome://flags/ and restore setting after testing For 3rd party cookie: This is unlikely the issue but let's also try verify it: 1. Open Chrome 2. Go to Setting > Privacy and Security > Cookie and Site Data 3. Set All cookie 4. Restarts 5. Try to login again, see if issue is solve 6. Remember to rollback if want to If issue indeed is one of them, can work on implementing a patch to CAS to fix the issue. If not then, well I am currently out of idea... Regards, Andy On Tuesday, 23 March 2021 at 22:19:39 UTC+8 [email protected] <mailto:[email protected]> wrote: Unfortunately it did not solve the issue. But it seems to be a very old problem https://bugs.chromium.org/p/chromium/issues/detail?id=533625 Anybody else experiencing the same behaviour? El jueves, 18 de marzo de 2021 a las 11:47:34 UTC-3, Nicolás López escribió: We are goint to try it and then will share the results. Thanks! El jueves, 18 de marzo de 2021 a las 4:31:40 UTC-3, jrautureau escribió: Hello Have you tried to set cas.tgc.pin-to-session to false ? We had issues on tgc cookie witch were invalidated due to network changes. For instance, when we switch to a new http proxy or when we connect to a VPN. Since the property set to false the tgc remains valid. We are using the remember me feature. Le jeu. 18 mars 2021 à 03:32, Nicolás López <[email protected] <mailto:[email protected]> > a écrit : Same issue here. Did anybody find a solution or workaround? El viernes, 5 de febrero de 2021 a las 7:35:18 UTC-3, [email protected] <mailto:[email protected]> escribió: Same issue : https://groups.google.com/a/apereo.org/g/cas-user/c/2CVCGqJOhgE/m/OlV7o8UoAgAJ Any idea ? Le mardi 2 février 2021 à 14:33:21 UTC+1, Florent Vallée a écrit : Hello, I installed a CAS server in version 6.2.7. No worries for the connection and the connection to the different services. We are only having a weird problem. On a computer, with Firefox no worries, on the other hand with Chrome, Edge, etc. and even on a smartphone with any browser, the CAS connection page loops permanently and does not connect to the service. It sometimes happens that by trying again 4-5 times in a row it will work but it is very random. If we simply connect to the login page we can connect well. Can it be a problem with cookies management, redirects or other? I can't find what options added in the cas.properties Does anyone have any configuration examples? Thank you for your help. Florent _____ De: "Ray Bon" <[email protected] <mailto:[email protected]> > À: "CAS Community" <[email protected] <mailto:[email protected]> > Envoyé: Lundi 1 Février 2021 18:24:29 Objet: Re: [cas-user] Problem with CAS 6.2.6 Florent, Once you have authenticated, cas will return a TGC (ticket granting cookie) to the browser. As long as this cookie is active, you should not see the log in page. Those browsers my have some security settings that affect the TGC. Use you developer tools to see if the TGC is being deleted or not sent to cas. There are some cookie setting, https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties-Common.html#cookie-properties and https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#ticket-granting-cookie. Ray On Mon, 2021-02-01 at 14:19 +0100, Florent Vallée wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello, I have a problem with CAS, I have access on any browser to the authentication page and it returns me the requested attributes. However, when I want to connect to an authorized service, it only works on Firefox. On Edge, Chrome this constantly returns me to the authentication page. Anyone have any idea what the problem is? Florent -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 <tel:(250)%20721-8831> | CLE 019 | [email protected] <mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c65f808fc4b75ed31cf4582b3fe872b87b9894b1.camel%40uvic.ca <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c65f808fc4b75ed31cf4582b3fe872b87b9894b1.camel%40uvic.ca?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/22230b33-e79d-4efc-83b6-97e4969e5ef9n%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/22230b33-e79d-4efc-83b6-97e4969e5ef9n%40apereo.org?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1daeb831-124f-47bb-a8d7-2b7bbf7a0df7n%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1daeb831-124f-47bb-a8d7-2b7bbf7a0df7n%40apereo.org?utm_medium=email&utm_source=footer> . -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0d6701d9210b%24ae830800%240b891800%24%40gmail.com.
