> My environment is CAS ovelay 5.0.3.1 with Tomcat 8.0 and java 1.8 and I do > not understand how it is possible that the TGC cookie can not be officially > configured as httponly. I have tested the embedded environment with the same > result. I am doing something wrong?
No you’re not doing anything wrong. The httponly support went into CAS around the release of CAS 4, and at the time given backward compatibility concerns the flag was configured down at the XML level optionally, and CAS reflectively tried to decide if the container/spec has support for httpOnly and only set the flag if the condition held. Of course, this was documented somewhere In 5, the setting (and the default value of ‘true’) for the flag were skipped for no good reason. You’re welcome to file an issue for this. > > From my humble opinion I understand it as a great security problem for a > Single Sign ON. Someone could tell me if I'm right? You’re certainly right; however note that the SSO cookie is both signed and encrypted whose value is in many ways tied to your deployment. Any tampering with the cookie would/should be rejected and attackers need to know the password pair to even begin the tampering. Unless you have turned those settings off, there is no security “problem"; just a small improvement to harden the configuration, for which you’re welcome to submit a request. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.58dcf2ce.2886ccd1.77cc%40unicon.net.