Hello,
I totally agree with you. I see it a problem, more so when applications
are often developed with frameworks that have these basic bugs.
I would suggest that CAS developers use information from the client's
environment (eg source ip, browser type, etc.) that will associate TGT
in some way, so that if an attacker does NOT have the same client environment,
Cookie in your possession will not work. Although I also think
that the attackers may try to replicate that environment to enter. A greeting.
Ale.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/e2c585e0-f0bc-4d9a-98e1-a7fde675a13d%40apereo.org.
