preventing duplicate ticket validating from user page refresh

Scott Battaglia scott_battaglia at rutgers.edu
Wed Jul 12 23:42:55 EDT 2006 

For reference:
http://www.ja-sig.org/issues/browse/CASC-7

-Scott

Scott Battaglia wrote:
> If someone wants to add a feature request to the CAS Client for a 
> redirect after validation (to the same URL, minus the ticket), I will 
> put it in for the M2 release.
>
> -Scott
>
> Andrew Petro wrote:
>
>   
>> Likely such a check can be added, yes.
>>
>> The underlying problem is that of CAS service and proxy tickets being
>> one-time-use but refreshing the browser results in re-presenting the used-up
>> ticket, which is indistinguishable from presenting a new bogus ticket or an
>> otherwise legitimate but expired ticket.
>>
>> A classic response to this problem is to introduce a filter or other
>> mechanism post-authentication to redirect the browser to a URL unencumbered
>> by extraneous ticket= parameters in the URL.  This has the result of
>> presenting a more attractive, even possibly bookmarkable, URL in the address
>> bar and emphasizes that what is identifying and authenticating the user at
>> that point is an application-specific session cookie.
>>
>> The ticket removed from the address bar, it also becomes more difficult for
>> the user to accidentally re-present the ticket via page refresh.
>>
>>
>>  
>>
>>     
>>> -----Original Message-----
>>> From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] On
>>> Behalf Of Kris Melotte
>>> Sent: Tuesday, July 11, 2006 11:41 PM
>>> To: Yale CAS mailing list
>>> Subject: page refresh issue
>>>
>>> Hello,
>>>
>>> I've installed CAS 3.5 RC2 and CAS Java Client 3.0.0-m1.
>>>
>>> When I have been logged in successfully, CAS redirects me to the
>>> application. Pressing the page refresh button at this time results in an
>>> error as the CasValidationFilter tries to re-validate the ticket in the
>>> request for a second time.
>>>
>>> Perhaps someone mentioned this already but I think this can be fixed by
>>> checking on assertion==null, in a similar way as was done in the
>>> CasAuthenticationFilter.
>>>
>>> Best regards,
>>> Kris
>>>
>>>
>>> _______________________________________________
>>> Yale CAS mailing list
>>> cas at tp.its.yale.edu
>>> http://tp.its.yale.edu/mailman/listinfo/cas
>>>    
>>>
>>>       
>> _______________________________________________
>> Yale CAS mailing list
>> cas at tp.its.yale.edu
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>  
>>
>>     
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>

More information about the cas mailing list