Versions Compared

Old Version 3

changes.mady.by.user Andrew Petro

Saved on

compared with

New Version 4

changes.mady.by.user Andrew Petro

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page is for documenting adjusting the CAS SSO session duration and for collecting information about implementing "remember me" in CAS wherein authenticated CAS sessions would last longer than just a browser session.

Generally

Ticket expiration parameters

CAS ticket caches are configurable as to how long they will retain and consider valid information about vended tickets. You can increase the duration of end-user-perceived "single sign on sessions" by increasing these ticket expiration timeouts.

Remember me

CAS's out of the box behavior of using browser session scoped cookies is probably a feature. Introducing remembering the user across browser sessions introduces additional security concerns (do other users have access to the cookie store?), a longer opportunity for an adversary to guess the TGT (is the TGT length still long enough?), user interface considerations (users are used to being able to "log out of" CAS by closing the browser window and only rarely actuate the explicit CAS logout facility.

In CAS 2

Out of the box parameters

...

Implementing "remember me"

By default, the CAS Ticket Granting Cookie (browser-side representation of the Ticket Granting Ticket which allows the browser to participate in CAS SSO session) is configured to expire when the user closes the browser (ends the browser session).

Code Block
java
java
titleLogin.java sendTgc method

  /**
   * Creates, sends (to the given ServletResponse), and returns a
   * TicketGrantingTicket for the given username.
   */
  private TicketGrantingTicket sendTgc(String username,
               HttpServletRequest request,
               HttpServletResponse response) throws ServletException {
    try {
      TicketGrantingTicket t = new TicketGrantingTicket(username);
      String token = tgcCache.addTicket(t);
      Cookie tgc = new Cookie(TGC_ID, token);
      tgc.setSecure(true);
      tgc.setMaxAge(-1);
      tgc.setPath(request.getContextPath());
      response.addCookie(tgc);
      return t;
    } catch (TicketException ex) {
      throw new ServletException(ex.toString());
    }
  }

Setting the cookie's max age to -1 indicates that the cookie persists until browser shutdown.

Setting the cookie instead to have a maximum age of some particular number of seconds produces a cookie that browsers are requested to persist across sessions until the number of seconds have elapsed.

Code Block
java
java
1Setting the cookie to last a week

tgc.setMaxAge(302400);

In CAS 3

Out of the box parameters

...