CAS ticket validation question
ashoka.upadhya@gtnexus.com
ashoka.upadhya at gtnexus.com
Fri Sep 22 15:26:38 EDT 2006
Hello,
After login, CAS server redirects user back to service url along with the ticket. i.e. URL will be something like
http://www.yale.edu/tp/authenticate.jsp?ticket=opaque-ticket-string Now the client application is suppose to validate this
ticket with the CAS.
Lets say for some reason client application didn't validate the ticket with the CAS (Assuming client application server went down).
Because of this usage count for this ticket in CAS server is still 0. That means ticket is still active in CAS server. At the mean time
some one gets hold of this ticket (Don't ask me how) and enters above URL on their new browser session. Since the validation
communication happens directly between client and CAS server, will CAS server validate this ticket? If not, please let me know how
it is prevented, if yes, is there a way to prevent it?
Thanks
-Ashoka
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20060922/d7bb49de/attachment.html
More information about the cas
mailing list