Hi there,
We have recently found that the original link https://localhost:8443/cas/login will always say "Log In Successful" once you have logged in once. As long as you don't close the browser. I know https://localhost:8443/cas/ is probably never accessed directly for regular users, but I have reached that page a few times at a certain occasions. After I submit a ticket with Unicon, Jen Bourey has determined that behavior is the result of how cookies are handled in the browser. She wrote: When you first visit /cas/login, the CAS webflow checks to see if you have a TGT (ticket granting ticket) ID saved as a cookie. If the cookie was found, the flow then checks to see if a service was specified. If no service parameter exists, the flow 1. Check presence of TGT cookie. If no cookie was found, send the user to the login page. If a cookie exists, check the service. 2. If no service was found, display the "generic success" page (that's the one that says your login was successful). If a service was found, attempt to get a service ticket for the service. The code doesn't check to see whether the TGT ID corresponds to a currently-valid TGT until it gets to the step of attempting to get a service ticket. Since the cookie sticks around until either you actively log out of CAS or close your browser, if you don't specify a service, you'll see the generic login success message even if your session has expired. The non-SSL (8080) version of CAS never displays the generic login message because the TGT cookie as marked as "secure." As a result, that ticket never gets set over an insecure connection. I'll be out of the office tomorrow and Friday, but if you'd like, when I get back I can bring this to the CAS developer list and get some feedback as to whether they'd consider this to be a bug. Any feedback is appreciated. Thanks, Alvin -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
