Hi, We have had a user complain about the behaviour of an application protected by CAS single sign on.
The user Alice has logged into the application via the CAS login page, then pressed back on their browser and bookmarked the URL with https://example.com/?ticket=ST-344-adfafff...... Alice has then shared that URL with another person, Bob. Bob navigates to the link supplied by Alice and is now logged into the application as Alice. This is a surprise to Alice and Bob. Is there any way to help prevent users bookmarking URLs containing the ticket? Is there any way to prevent Bob logging in as Alice with the URL with Alice's ticket? We currently are thinking that we have to educate users not to bookmark the URLs that have the ticket parameter, but that seems a bit weak. Any suggestions or insight would be welcome. Thanks in advance. Rob -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1a5bf3d-e7cc-4065-8f14-ece00e261af3n%40apereo.org.
