Strange behaviour while reaching the login page with cookie but without service

[Scott Battaglia]

Technically its the correct behavior as without a service, we never 
bother to "use" the TGT to make sure its valid (we have no way of using 
it) and just assume its valid.  The first time a user attempts to access 
a service it will make them log in. I will admit however, that the 
behavior does seem a bit odd if you know you've forged or have an 
expired ticket :-)

If its a concern, one can always check the ticket registry to make sure 
the ticket still exists and is not expired.  It breaks the fact that we 
try and keep any ticket access to the service layer, but it would allow 
you to make sure this behavior doesn't happen.




Arnaud Lesueur wrote:
> Hi,
>
> I have found a strange behaviour with the default CAS login webflow.
>
> If you reach the login page without requesting any service and with a CASTGC cookie, you get the casGenericSuccess
> page as answer.
>
> This step is OK with a valid cookie but with a non-valid cookie (either expired or a forged cookie) you reach also the
> casGenericSuccess page which does not enable the user to login and get a valid TGC.
>
> Do you think this is really a valid behaviour for end-user ?
> Don't you think that CAS should return the login form instead ?
>
> Arnaud Lesueur
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>