Hi, There were many questions the last two weeks and so my email fell by the wayside. Does anybody have any suggestion about these needs ?
Thanks, Regards, Julien Bréda. -----Message d'origine----- De : BREDA Julien [mailto:jbr...@netfinca.com] Envoyé : vendredi 4 novembre 2011 15:17 À : 'cas-dev@lists.jasig.org' Objet : [cas-dev] Secured cookies - Attributes management Hi, I have two questions today : Secured Cookies I'm still using CAS server 3.4.10 and I would like to add the option 'httponly' to the cookie send by the CAS webapp, but it seems it isn't an existing functionality. Could it be available ? I saw an old discussion about the security and the answer was something like "the option 'secured' is present and we don't need any more security". However, a developer could overlay the default webapp and introduce an XSS vulnerability and so the TGC could be stolen except if the option 'httponly' is used. Attributes management In the management panel, we can choose the SAML attributes which are send to each service. My CAS webapp support different kinds of authentication, with each time different kinds of credentials and then the generated Principal object can expose different attributes. How can I manage all of these sets of attributes in the existing interface ? Thanks, Regards, Julien Bréda. -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
