We're updating the issue view to help you get more done. 

CAS TGC default cookie path should be "/cas/" ?

Description

Hi,
during testing of our internal CAS deployment I discovered the CAS TGC cookie being sent to URLs which are probably not intended to receive it.

Our CAS is deployed under standard CAS context root /cas
We have a test/sample application under context root /cas-sample-webapp
Both are available via the same domain, via https.

Turns out that /cas-sample-webapp is receiving the CAS TGC - because its root context "matches" the default cookie path setting for the CAS TGC ("/cas")

I am not sure whether that is actually intended, but from my understanding of the CAS workings the cookie path in ticketGrantingTicketCookieGenerator.xml should be rather set to "/cas/" by default - thus ensuring that the TGC is acutally only sent to URLs "under" the /cas context.

Environment

None

Status

Assignee

ScottS

Reporter

Lars Koedderitzsch

Labels

None

Estimated End Date

None

Audience

None

Components

Fix versions

Affects versions

3.4.4
3.4.6
3.4.2.1
3.4.7
3.4.5
3.4.3.1

Priority

Major