[cas-dev] Security Issue

[Trenton D. Adams]

Forget the part about the tomcat sessions.  I had forgotten that it won't work with proxy tickets unless you do custom stuff.  But, the IP association with CAS TGCs would be a *small* notch up in security, wouldn't it?

----- "Trenton D. Adams" <trenta at athabascau.ca> wrote:
> Hi Guys,
> 
> I'm using CAS 2, not 3.
> 
> Wouldn't it be a little better to use CASTGC cookies that only work
> with 
> the original IP?  As it is, if someone were to use regular HTTP (vs 
> HTTPS), I could hack into their account after I have the CASTGC
> cookie.  
> After realizing that CAS code doesn't do this, I decided to copy the 
> cookie over to another machine, with a different IP, and use it there.
>  
> It worked just fine, and CAS thought I was authenticated, giving me
> the 
> "You have been logged in successfully" page.
> 
> Tomcat's default behaviour is to only allow the original IP access to
> 
> the session.  Why not use a tomcat session, with a session attribute 
> that has the value of the TGC?
> 
> Granted that this isn't a problem when using SSL.
> 
> Thanks.
> 
> -- 
> Trenton D. Adams
> Systems Analyst/Web Software Engineer
> Navy Penguins at your service!
> Athabasca University
> (780) 675-6195
> :wq!
> 
> 
> __ 
>     This communication is intended for the use of the recipient to
> whom it
>     is addressed, and may contain confidential, personal, and or
> privileged
>     information. Please contact us immediately if you are not the
> intended
>     recipient of this communication, and do not copy, distribute, or
> take
>     action relying on it. Any communications received in error, or
>     subsequent reply, should be deleted or destroyed.
> ---
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev