Login form fails when entry is delayed

Scott Battaglia scott.battaglia at gmail.com
Mon Feb 11 11:54:58 EST 2008 

There's no logic problem. The login process utilizes Spring Web Flow to
control the flow of the login process.  Spring Web Flow is used by default
in conjunction with session management to prevent you from re-submitting
credentials (in the case of a browser caching POST data).  We've kept the
default session relatively short to minimize the memory usage.

If you are concerned, you can either extend the session timeout (thus
consuming more memory), or switch to the backing store which uses the
request object instead of the session object (this has security
implications).  I haven't been able to re-create the resubmitting POST
problem on newer browsers but I'm not sure which browsers are affected by
it.

If you're attempting to re-utilize a cached page (via saving it in the
browser and coming back to it) its going to fail because it won't find the
submitted Flow ID.  You would find that issue with any page that utilizes
sessions.

-Scott

On Feb 11, 2008 11:34 AM, Harry Ng <harryworld at gmail.com> wrote:

>
> Hi Dale,
>
> I also noticed that, but seems this occurs for many versions of CAS. The
> "problem" lies to the login logic of CAS itself, that means not related to
> the frontend Apache.
>
> One more case can be like this
> 1. Using Firefox, Browse to login page /cas/login
> 2. Close the browser and save the login view using Session Manager
> 3. The page shows /cas/login on next start of Firefox
> 4. Login the first time, the page refreshes
> - Check the logs, the server side doesn't really authenticate
> - instead, it needs to pass through InitialFlowSetupAction in order to do
> this (Setting ContextPath for cookies to: /cas)
> 5. Login again, succeeds this time.
>
> I am wondering is there any solution to this.
>
> Regards,
> Harry
>
>
> dale77 wrote:
> >
> > Hello,
> >
> > this is a strange one I have noticed a few times. CAS 3.1.1 is the
> backend
> > version. Apache fronting tomcat 5.5 on RHEL5.
> >
> > 1. Browse to the login page /cas/login
> > 2. Leave the page for "a while" not sure how long
> > 3. Come back and attempt to login, enter creds, hit enter
> > 4. Page refreshes quickly wiping out your entered credentials but
> > otherwise nothing happens
> > 5. Say "Huh?"
> > 6. enter same creds again, hit enter
> > 7. Login succeeds - shrug shoulders and continue
> >
> > Is there some non-cas (tomcat/apache?) session timeout happening here?
> Is
> > this repeatable for anyone else?
> >
> > Thanks
> >
> > Dale
> >
>
> --
> View this message in context:
> http://www.nabble.com/Login-form-fails-when-entry-is-delayed-tp15403686p15413717.html
> Sent from the CAS Users mailing list archive at Nabble.com.
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>



-- 
-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080211/c92375da/attachment.html

More information about the cas mailing list