Hi Justin, Nice that you think of a workaround!
I think it is strange that ticket granting ticket containing user agent... Therefore, I have go ahead and done some additional digging and found the following: https://github.com/apereo/cas/blob/v5.3.7/core/cas-server-core-cookie-api/src/main/java/org/apereo/cas/web/support/DefaultCasCookieValueManager.java#L58 Seems to me that, instead of the TGT containing user agent, is that the cookie manager will not allow cookie created under differnet user agent. @Override protected String obtainValueFromCompoundCookie(final String cookieValue, final HttpServletRequest request) { val cookieParts = Splitter.on(String.valueOf(COOKIE_FIELD_SEPARATOR)). splitToList(cookieValue); if (cookieParts.isEmpty()) { throw new IllegalStateException("Invalid empty cookie"); } val value = cookieParts.get(0); if (!cookieProperties.isPinToSession()) { LOGGER.trace("Cookie session-pinning is disabled. Returning cookie value as it was provided"); return value; } if (cookieParts.size() != COOKIE_FIELDS_LENGTH) { throw new IllegalStateException("Invalid cookie. Required fields are missing "); } val remoteAddr = cookieParts.get(1); val userAgent = cookieParts.get(2); if (Stream.of(value, remoteAddr, userAgent).anyMatch(StringUtils::isBlank)) { throw new IllegalStateException("Invalid cookie. Required fields are empty" ); } val clientInfo = ClientInfoHolder.getClientInfo(); if (!remoteAddr.equals(clientInfo.getClientIpAddress())) { throw new IllegalStateException("Invalid cookie. Required remote address " + remoteAddr + " does not match " + clientInfo.getClientIpAddress()); } val agent = HttpRequestUtils.getHttpServletRequestUserAgent(request); if (!userAgent.equals(agent)) { throw new IllegalStateException("Invalid cookie. Required user-agent " + userAgent + " does not match " + agent); } return value; } Have you see the above error (*Invalid cookie. Required user-agent....*) in your CAS error log? If so then it would justified my theory. Still, I don't think it is wise to touch on that part of the source code, but it is always good to know in case you need to actually make support on the legacy service for cross compatibility and main browser. Cheers! - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f373ad7a-bc64-4c43-ad51-6921811ac28b%40apereo.org.
