/
Adjusting the CAS SSO duration

Adjusting the CAS SSO duration

This page is for documenting adjusting the CAS SSO session duration and for collecting information about implementing "remember me" in CAS wherein authenticated CAS sessions would last longer than just a browser session.

Generally

Ticket expiration parameters

CAS ticket caches are configurable as to how long they will retain and consider valid information about vended tickets. You can increase the duration of end-user-perceived "single sign on sessions" by increasing these ticket expiration timeouts.

Remember me

CAS's out of the box behavior of using browser session scoped cookies is probably a feature. Introducing remembering the user across browser sessions introduces additional security concerns (do other users have access to the cookie store?), a longer opportunity for an adversary to guess the TGT (is the TGT length still long enough?), user interface considerations (users are used to being able to "log out of" CAS by closing the browser window and only rarely actuate the explicit CAS logout facility.

In CAS 2

Out of the box parameters

In web.xml, you can adjust ticket timeouts. Specifically, the ticket granting ticket timeout is specified as the context parameter "edu.yale.its.tp.cas.grantingTimeout". It is specifed in seconds, and its default value is two hours.

<!-- Timeout for granting tickets -->
    <context-param>
        <param-name>edu.yale.its.tp.cas.grantingTimeout</param-name>
        <param-value>7200</param-value>
    </context-param>

Since the timeouts are stored as integers (max value 2,147,483,647) and converted to milliseconds, the maximum timeout in seconds is: 2147483 (almost 25 days).  If you need longer timeouts than that, you will have to change 'int' to 'long' for timeouts and tolerances in the CAS java code.

Implementing "remember me"

By default, the CAS Ticket Granting Cookie (browser-side representation of the Ticket Granting Ticket which allows the browser to participate in CAS SSO session) is configured to expire when the user closes the browser (ends the browser session).

Login.java sendTgc method
/**
   * Creates, sends (to the given ServletResponse), and returns a
   * TicketGrantingTicket for the given username.
   */
  private TicketGrantingTicket sendTgc(String username,
               HttpServletRequest request,
               HttpServletResponse response) throws ServletException {
    try {
      TicketGrantingTicket t = new TicketGrantingTicket(username);
      String token = tgcCache.addTicket(t);
      Cookie tgc = new Cookie(TGC_ID, token);
      tgc.setSecure(true);
      tgc.setMaxAge(-1);
      tgc.setPath(request.getContextPath());
      response.addCookie(tgc);
      return t;
    } catch (TicketException ex) {
      throw new ServletException(ex.toString());
    }
  }

Setting the cookie's max age to -1 indicates that the cookie persists until browser shutdown.

Setting the cookie instead to have a maximum age of some particular number of seconds produces a cookie that browsers are requested to persist across sessions until the number of seconds have elapsed.

tgc.setMaxAge(302400);