When you are already logged in, you can provide any well formed ticket value in the query string.
This causes the attributes not to be updated, even if a valid ticket is provided
This ticket will be assigned to the session id without validation.
Using SAML_VERSION_1_1 (not tested with CAS_VERSION_2_0)
Today, i think i will not have the time.
But for the cas server we use, it's a CAS server with specifics mods, from a company. But i don't know exactly in details what the mods are and how they did.
I have commited the patch to the trunk. For now i chose the simple solution. Simply ignoring a new Ticket and issuing a warning to the debug log.
For the future we could work on accepting those tickets but there is still the open issue how to deal with invalid tickets. You can either log out the user (possible security issue) or ignore the ticket (security?). Neither options are really my first choice. I will try to discuss the issue with more CAS developer on the next community call.
Joachim, we might need to start implementing monthly developer calls to get all the server and client developers on the same page. This would be separate from the community calls (which are normally a higher level). What do you think? We've been doing weekly calls for multi-factor authentication but maybe we can morph them into developer calls after the multi-factor discussions are done.
That would be nice. Count me in. Rather than having a 'call' i would really like some kind of web conference where you can share your screen, show some code, slides etc. I think talking about code or complex problem without some visual aid would really limit these developer calls.
Fix is both stable and trunk. I will open another issue to discuss a long term solution.