SSO Inactivity Timeout

nick.maiorana@wachovia.com nick.maiorana at wachovia.com
Wed Nov 1 12:23:39 EST 2006 

Yes, but this would invalidate the ticket based upon user activity, not a 
time period.  I hope I'm not missing something.

Thanks

Nick Maiorana
Technology, Architecture and Business Services
J2EE Components and Services
nick.maiorana at wachovia.com
Phone:  704-427-1923
Pager:   888-739-0534 or nick.maiorana at my2way.com

Confidentiality Statement: 
"The information contained in this electronic message is confidential, 
proprietary, and intended only for the use of the owner of the e-mail 
address listed as the recipient of this message. If you are not the 
intended recipient, or the employee or agent responsible for delivering 
this message to the intended recipient, you are hereby notified that any 
disclosure, dissemination, distribution, copying of this communication, or 
unauthorized use is strictly prohibited and subject to prosecution to the 
fullest extent of the law! If you are not the intended recipient, please 
delete this electronic message and DO NOT ACT UPON, FORWARD, COPY OR 
OTHERWISE DISSEMINATE IT OR ITS CONTENTS." 



"Scott Battaglia" <scott.battaglia at gmail.com> 
Sent by: cas-bounces at tp.its.yale.edu
11/01/2006 09:51 AM

Please respond to
Yale CAS mailing list <cas at tp.its.yale.edu>


To
"Yale CAS mailing list" <cas at tp.its.yale.edu>
cc

Subject
Re: SSO Inactivity Timeout






You could but its not necessary because once the ticket itself is expired 
the cookie is invalid (as an attempt to retrieve the ticket by id would 
fail) and the next time you log in the old cookie would be replaced.

-Scott

On 11/1/06, nick.maiorana at wachovia.com <nick.maiorana at wachovia.com > 
wrote:

Yeah, that's what we were thinking.  For a true inactivity invalidation, 
we may have to employ some sort of agent or supplicant on the client 
workstations that clear the SSO cookie. 

Thanks.

Nick Maiorana
Technology, Architecture and Business Services
J2EE Components and Services
nick.maiorana at wachovia.com
Phone:  704-427-1923
Pager:   888-739-0534 or nick.maiorana at my2way.com
Confidentiality Statement: 
"The information contained in this electronic message is confidential, 
proprietary, and intended only for the use of the owner of the e-mail 
address listed as the recipient of this message. If you are not the 
intended recipient, or the employee or agent responsible for delivering 
this message to the intended recipient, you are hereby notified that any 
disclosure, dissemination, distribution, copying of this communication, or 
unauthorized use is strictly prohibited and subject to prosecution to the 
fullest extent of the law! If you are not the intended recipient, please 
delete this electronic message and DO NOT ACT UPON, FORWARD, COPY OR 
OTHERWISE DISSEMINATE IT OR ITS CONTENTS." 


"Scott Battaglia" <scott.battaglia at gmail.com> 
Sent by: cas-bounces at tp.its.yale.edu 
10/31/2006 09:31 AM 


Please respond to
Yale CAS mailing list <cas at tp.its.yale.edu>


To
"Yale CAS mailing list" <cas at tp.its.yale.edu> 
cc

Subject
Re: SSO Inactivity Timeout








The cookie is merely a pointer to the actual Ticket.  Expiring the ticket 
has the same affect as expiring the cookie and its actually easier to do. 
You only other option is to modify the login flow itself to check the 
cookie. 

-Scott

On 10/31/06, nick.maiorana at wachovia.com < nick.maiorana at wachovia.com> 
wrote: 

Thanks for your reply. 

We are looking for a way to invalidate the SSO Cookie if the user has not 
had any keyboard/mouse activity (or at a miminum, browser activity) for a 
set amount of time.  So this is more of an inactivity time for the user 
rather than an expiration time for the ticket.

Nick Maiorana
Technology, Architecture and Business Services
J2EE Components and Services
nick.maiorana at wachovia.com
Phone:  704-427-1923
Pager:   888-739-0534 or nick.maiorana at my2way.com 
Confidentiality Statement: 
"The information contained in this electronic message is confidential, 
proprietary, and intended only for the use of the owner of the e-mail 
address listed as the recipient of this message. If you are not the 
intended recipient, or the employee or agent responsible for delivering 
this message to the intended recipient, you are hereby notified that any 
disclosure, dissemination, distribution, copying of this communication, or 
unauthorized use is strictly prohibited and subject to prosecution to the 
fullest extent of the law! If you are not the intended recipient, please 
delete this electronic message and DO NOT ACT UPON, FORWARD, COPY OR 
OTHERWISE DISSEMINATE IT OR ITS CONTENTS." 

"Scott Battaglia" <scott.battaglia at gmail.com > 
Sent by: cas-bounces at tp.its.yale.edu 
10/30/2006 11:49 AM 

Please respond to
Yale CAS mailing list <cas at tp.its.yale.edu >



To
"Yale CAS mailing list" <cas at tp.its.yale.edu > 
cc

Subject
Re: SSO Inactivity Timeout









Nick,

CAS supports the notion of Expiration Policies.  Example policies include 
# of uses or "a ticket is only valid for X amount of time."  You can write 
an "inactivity policy" and configure CAS to use that. 

http://developer.ja-sig.org/projects/cas/multiproject/cas-server/apidocs/org/jasig/cas/ticket/ExpirationPolicy.html 

http://developer.ja-sig.org/projects/cas/multiproject/cas-server/apidocs/org/jasig/cas/ticket/TicketState.html 


-Scott


On 10/30/06, nick.maiorana at wachovia.com < nick.maiorana at wachovia.com> 
wrote: 

Are there any hooks into determining a user's inactivity on his machine to 
invalidate the SSO token?

Nick Maiorana
Technology, Architecture and Business Services
J2EE Components and Services
nick.maiorana at wachovia.com
Phone:  704-427-1923
Pager:   888-739-0534 or nick.maiorana at my2way.com 
Confidentiality Statement: 
"The information contained in this electronic message is confidential, 
proprietary, and intended only for the use of the owner of the e-mail 
address listed as the recipient of this message. If you are not the 
intended recipient, or the employee or agent responsible for delivering 
this message to the intended recipient, you are hereby notified that any 
disclosure, dissemination, distribution, copying of this communication, or 
unauthorized use is strictly prohibited and subject to prosecution to the 
fullest extent of the law! If you are not the intended recipient, please 
delete this electronic message and DO NOT ACT UPON, FORWARD, COPY OR 
OTHERWISE DISSEMINATE IT OR ITS CONTENTS." 

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas 


_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu 
http://tp.its.yale.edu/mailman/listinfo/cas 

ForwardSourceID:NT000871C6     

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas 


_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

ForwardSourceID:NT000872EA     

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu 
http://tp.its.yale.edu/mailman/listinfo/cas


_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

ForwardSourceID:NT00087452 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20061101/be0f96ca/attachment.html

More information about the cas mailing list