When already logged in, providing a new well formed ticket value in url will only cause the session id to change, without any valdiation.

Description

When you are already logged in, you can provide any well formed ticket value in the query string.
This causes the attributes not to be updated, even if a valid ticket is provided
This ticket will be assigned to the session id without validation.

Environment

Using SAML_VERSION_1_1 (not tested with CAS_VERSION_2_0)

Activity

Show:
stopaze
May 20, 2010, 9:14 AM

Today, i think i will not have the time.
But for the cas server we use, it's a CAS server with specifics mods, from a company. But i don't know exactly in details what the mods are and how they did.

Joachim Fritschi
June 17, 2010, 2:08 PM

I have commited the patch to the trunk. For now i chose the simple solution. Simply ignoring a new Ticket and issuing a warning to the debug log.
For the future we could work on accepting those tickets but there is still the open issue how to deal with invalid tickets. You can either log out the user (possible security issue) or ignore the ticket (security?). Neither options are really my first choice. I will try to discuss the issue with more CAS developer on the next community call.

ScottS
June 18, 2010, 2:45 AM

Joachim, we might need to start implementing monthly developer calls to get all the server and client developers on the same page. This would be separate from the community calls (which are normally a higher level). What do you think? We've been doing weekly calls for multi-factor authentication but maybe we can morph them into developer calls after the multi-factor discussions are done.

Joachim Fritschi
June 18, 2010, 5:41 AM

That would be nice. Count me in. Rather than having a 'call' i would really like some kind of web conference where you can share your screen, show some code, slides etc. I think talking about code or complex problem without some visual aid would really limit these developer calls.

Joachim Fritschi
June 28, 2010, 2:40 PM

Fix is both stable and trunk. I will open another issue to discuss a long term solution.

Assignee

Joachim Fritschi

Reporter

stopaze

Labels

None

Estimated End Date

None

Fix versions

Affects versions

Priority

Major
Configure