Hello, I totally agree with you. I see it a problem, more so when applications are often developed with frameworks that have these basic bugs. I would suggest that CAS developers use information from the client's environment (eg source ip, browser type, etc.) that will associate TGT in some way, so that if an attacker does NOT have the same client environment, Cookie in your possession will not work. Although I also think that the attackers may try to replicate that environment to enter. A greeting.
Ale. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e2c585e0-f0bc-4d9a-98e1-a7fde675a13d%40apereo.org.