[cas-dev] Security Issue

[Trenton D. Adams]

Hi Guys,

I'm using CAS 2, not 3.

Wouldn't it be a little better to use CASTGC cookies that only work with 
the original IP?  As it is, if someone were to use regular HTTP (vs 
HTTPS), I could hack into their account after I have the CASTGC cookie.  
After realizing that CAS code doesn't do this, I decided to copy the 
cookie over to another machine, with a different IP, and use it there.  
It worked just fine, and CAS thought I was authenticated, giving me the 
"You have been logged in successfully" page.

Tomcat's default behaviour is to only allow the original IP access to 
the session.  Why not use a tomcat session, with a session attribute 
that has the value of the TGC?

Granted that this isn't a problem when using SSL.

Thanks.

-- 
Trenton D. Adams
Systems Analyst/Web Software Engineer
Navy Penguins at your service!
Athabasca University
(780) 675-6195
:wq!


__ 
    This communication is intended for the use of the recipient to whom it
    is addressed, and may contain confidential, personal, and or privileged
    information. Please contact us immediately if you are not the intended
    recipient of this communication, and do not copy, distribute, or take
    action relying on it. Any communications received in error, or
    subsequent reply, should be deleted or destroyed.
---