during testing of our internal CAS deployment I discovered the CAS TGC cookie being sent to URLs which are probably not intended to receive it.
Our CAS is deployed under standard CAS context root /cas
We have a test/sample application under context root /cas-sample-webapp
Both are available via the same domain, via https.
Turns out that /cas-sample-webapp is receiving the CAS TGC - because its root context "matches" the default cookie path setting for the CAS TGC ("/cas")
I am not sure whether that is actually intended, but from my understanding of the CAS workings the cookie path in ticketGrantingTicketCookieGenerator.xml should be rather set to "/cas/" by default - thus ensuring that the TGC is acutally only sent to URLs "under" the /cas context.