jasig-cas IRC Logs-2011-07-13

Owned by Apereo Infrastructure
Last updated: Jul 13, 2011Version comment

[12:41:53 CDT(-0500)] <yann2> Dear all, I have the following issue, something to do with cookies but not sure:
[12:42:14 CDT(-0500)] <yann2> user A logs into say, a wiki that uses CAS. He clicks on login, which redirects him to CAS.
[12:42:29 CDT(-0500)] <yann2> Now he doesn't login directly, but rather waits 4 hours or so.
[12:42:53 CDT(-0500)] <yann2> after trying to login, CAS will redirect him to the wiki, who will loudly complain - auth fail
[12:43:02 CDT(-0500)] <yann2> user logged into CAS, not wiki.
[12:43:51 CDT(-0500)] <yann2> now if he makes a completely new request to the wiki, he wont be logged in, he clicks on login, which will redirect him to CAS, he's already logged into cas, which redirects him to wiki, and then he's authenticated
[12:44:07 CDT(-0500)] <serac> You probably need to share some client-side logs.
[12:44:10 CDT(-0500)] <yann2> sounds like some session expired between the time he first got redirected to CAS and the time he logged in, but where about?
[12:44:50 CDT(-0500)] <yann2> client side logs? you mean a log of requests from the windows client?
[12:44:55 CDT(-0500)] <serac> Sounds like client-side session expiration, but log will help clarify what, if anything, can be done to remediate.
[12:45:08 CDT(-0500)] <serac> The CAS client – the wiki in this case.
[12:45:38 CDT(-0500)] <serac> We tend to call the service that requests authentication to CAS the "client" in these scenarios.
[12:45:41 CDT(-0500)] <yann2> ah, k. So you think, technically not CAS related. I will try settings the session time on the wiki to something significantly longer to check
[12:45:55 CDT(-0500)] <yann2> btw, I got one a bit more tricky (smile)
[12:45:58 CDT(-0500)] <serac> Yeah, doubtful related to any CAS session timeout.
[12:46:07 CDT(-0500)] <yann2> at work, we use CAS on several intranet websites
[12:46:08 CDT(-0500)] <serac> session/ticket/etc
[12:46:11 CDT(-0500)] <wgthom> agreed. you could try to set it something much smaller to test
[12:46:19 CDT(-0500)] <wgthom> sounds like wiki issue
[12:46:27 CDT(-0500)] <yann2> now when a user starts his browser, it opens several intranet websites at the same time
[12:46:37 CDT(-0500)] <yann2> so technically, 3 CAS login windows, when not logged in
[12:46:45 CDT(-0500)] <yann2> user logs into first one, doesn't bother about the 2 others
[12:46:48 CDT(-0500)] <yann2> wait 2 hours
[12:46:53 CDT(-0500)] <yann2> click on other tab
[12:47:18 CDT(-0500)] <yann2> and "wtf, this is supposed to be sso"
[12:47:27 CDT(-0500)] <serac> SSO isn't magic.
[12:47:43 CDT(-0500)] <serac> The user does what in that second tab?
[12:47:47 CDT(-0500)] <yann2> I thought there might be some magic but well (smile)
[12:47:52 CDT(-0500)] <yann2> nothing til he logs in
[12:47:57 CDT(-0500)] <wgthom> the other tabs are sitting at CAS login screen? or application welcome screen?
[12:48:01 CDT(-0500)] <serac> This is a training issue.
[12:48:02 CDT(-0500)] <yann2> CAS login
[12:48:08 CDT(-0500)] <yann2> training? ahahah (wink)
[12:48:11 CDT(-0500)] <serac> Train your users to log into exactly one tab.
[12:48:13 CDT(-0500)] <yann2> technically we set the homepages
[12:48:18 CDT(-0500)] <serac> Then F5 the others.
[12:48:31 CDT(-0500)] <yann2> and the several homepages redirect to CAS (smile)
[12:48:35 CDT(-0500)] <serac> Most browsers share cookie/state across tabs, so refresh should get you a ticket.
[12:48:43 CDT(-0500)] <yann2> indeed
[12:48:50 CDT(-0500)] <serac> And then you'll get in "magically." (wink)
[12:48:58 CDT(-0500)] <serac> But the user has to do something in those other tabs.
[12:49:00 CDT(-0500)] <wgthom> lol
[12:49:06 CDT(-0500)] <serac> That's the "no magic" part.
[12:49:07 CDT(-0500)] <yann2> might add a html refresh every minute in the CAS template ...
[12:49:12 CDT(-0500)] <wgthom> eek
[12:49:24 CDT(-0500)] <yann2> magic skillz (wink)
[12:49:38 CDT(-0500)] <serac> Eek indeed, but lots of folks deal with issues like this with loops like that.
[12:49:46 CDT(-0500)] <wgthom> voodoo magic maybe
[12:49:50 CDT(-0500)] <serac> haha
[12:50:18 CDT(-0500)] <wgthom> better solution would be gateway on those apps
[12:50:35 CDT(-0500)] <wgthom> so it's obvious to the user they need to take action.
[12:50:52 CDT(-0500)] <serac> Good idea.
[12:51:11 CDT(-0500)] <wgthom> then SSO magic would "just work"
[12:51:31 CDT(-0500)] <serac> What you absolutely don't want them doing is signing in via multiple tabs.
[12:51:58 CDT(-0500)] <serac> The second login will kill the first one, and if you have single sign-out, that would produce unexpected results for user.
[15:23:30 CDT(-0500)] <yann2> I ll talk to my dev for the gateway - like present a "click here to sign in" button
[15:35:47 CDT(-0500)] <wgthom> yep