Uploaded image for project: 'CAS Server'
  1. CAS-972

CAS TGC default cookie path should be "/cas/" ?

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.4.2.1, 3.4.3.1, 3.4.4, 3.4.5, 3.4.6, 3.4.7
    • Fix Version/s: 3.4.9
    • Component/s: Authentication
    • Labels:
      None

      Description

      Hi,
      during testing of our internal CAS deployment I discovered the CAS TGC cookie being sent to URLs which are probably not intended to receive it.

      Our CAS is deployed under standard CAS context root /cas
      We have a test/sample application under context root /cas-sample-webapp
      Both are available via the same domain, via https.

      Turns out that /cas-sample-webapp is receiving the CAS TGC - because its root context "matches" the default cookie path setting for the CAS TGC ("/cas")

      I am not sure whether that is actually intended, but from my understanding of the CAS workings the cookie path in ticketGrantingTicketCookieGenerator.xml should be rather set to "/cas/" by default - thus ensuring that the TGC is acutally only sent to URLs "under" the /cas context.

        Attachments

          Activity

            People

            • Assignee:
              battags ScottS
              Reporter:
              lkoed Lars Koedderitzsch
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: