Niral, Is it possible the hosted environment has more than one tomcat server? If TGTs are not shared between cas instances, then, when switching tomcat servers (controlled by the hosting service / load balancer), the second cas will not know about the login session and force the login screen.
Ticket registry is described https://apereo.github.io/cas/6.6.x/ticketing/Configuring-Ticketing-Components.html Alternatively, start with a single cas server, then add more cas servers and the ticket registry when other config is more or less complete. Ray On Thu, 2023-07-06 at 14:04 +0000, 'Niral Kunadia' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Thank you Ray, Are you deploying the war to more than one tomcat? : I created .war file with gradle on local and deploying to test environment which is some hosted environment. Is the tomcat on your local dev computer or some hosted environment? : some hosted environment Thank you for reply. From: cas-user@apereo.org <cas-user@apereo.org> On Behalf OfRay Bon Sent: Wednesday, July 5, 2023 4:37 PM To: cas-user@apereo.org Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5 WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. DO NOT CLICK links / attachments unless you know that the content is safe! For suspicious emails, report using the Phish Alert Report button on the upper left of your email. For marketing/SPAM emails, delete. Niral, To see a list of all cas properties: $ ./gradlew exportConfigMetadata Which will create a file called config-metadata.properties You can search for 'tgt' or 'tgc' The default value will be shown beside the property. TicketGgrantingTicket is the server side session and TGC is the client side cookie used to find the TGT. To see other gradlew commands: $ ./gradlew tasks There are some management endpoints that can provide some info, https://apereo.github.io/cas/6.6.x/monitoring/Monitoring-Statistics.html Here are some related blog posts: https://fawnoos.com/2022/02/20/cas65-actuator-endpoints/ https://fawnoos.com/2021/09/06/cas65-sso-sessions/ Some URLs that I use: https://local.uvic.ca/cas/actuator/ssoSessions https://local.uvic.ca/cas/actuator/ticketExpirationPolicies I do not think this is an issue with tomcat. Your steps 3. and 4. suggest that it is working correctly. You say 'Restarted tomcat services'. Are you deploying the war to more than one tomcat? Is the tomcat on your local dev computer or some hosted environment? On my local I have a sym link from tomcat/webapps/cas.war to devdir/build/lib/cas.war (this will save a step if tomcat is local). You can also use the docker build and deploy or embedded tomcat run approach. These options are described at the bottom of https://fawnoos.com/2022/08/06/cas66-gettingstarted-overlay/ Ray On Wed, 2023-07-05 at 15:27 +0000, 'Niral Kunadia' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Ray, I am upgraded CAS to 6.6.9 from 6.5.8, I am able to login to cas with authentication and on refresh somehow TGC is expiring and asking for login credentials again. Is there any setting I have to add in cas.properties? I did these steps: 1. Copy cas.war to test environment. Restarted tomcat services. 2. Open URL in browser cas/login 3. Able to login and getting profile info. 4. On refresh still able to see profile page. 5. Then I logout cas/logout 6. Again open login screen and entered credentials. Able to login and on refresh it is displaying profile. If don’t do cas/logout, somehow tgc ticket is expiring. But after few second somehow TGC is expiring. How can I add expiration time in 6.6.9. I don’t have any setting related to tgc in my 6.5.8 version. From: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>>On Behalf OfRay Bon Sent: Thursday, June 22, 2023 10:20 AM To: cas-user@apereo.org<mailto:cas-user@apereo.org> Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5 WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. DO NOT CLICK links / attachments unless you know that the content is safe! For suspicious emails, report using the Phish Alert Report button on the upper left of your email. For marketing/SPAM emails, delete. Niral, Is the page you are refreshing the cas default login page or is it a page in your client application? Can you post the URL when you land on the cas login page after a refresh? Ray On Wed, 2023-06-21 at 19:34 +0000, 'Niral Kunadia' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Thank you so much Ray for quick reply. I am able to fix custom theme issue and page loading with all css properly and I am able to login to CAS and able to see my credentials with other profile info. But when I refresh page it is automatically log me out. Any suggestions or idea? From: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>>On Behalf OfRay Bon Sent: Wednesday, June 21, 2023 10:27 AM To: cas-user@apereo.org<mailto:cas-user@apereo.org> Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5 WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. DO NOT CLICK links / attachments unless you know that the content is safe! For suspicious emails, report using the Phish Alert Report button on the upper left of your email. For marketing/SPAM emails, delete. Niral, Here is a handy blog, https://fawnoos.com/2022/07/22/cas66-ui-themes/ Ray On Fri, 2023-06-16 at 12:08 +0000, 'Niral Kunadia' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello Ray, As I am upgrading from 6.5.9 to 6.6.8 As we are using custom login page UI. I have to do few changes in src folder. I have below code in src/main/resources/templates/layouts.html. <link rel="stylesheet" type="text/css" th:href="@{#{webjars.fontawesomemin.css}}"/> I would like to add webjars dependency in build.gradle. I did not find any sample for this. Please help! As webjars not finding this it is displaying blank page instead of custom login page. Thank you Niral From: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>>On Behalf OfRay Bon Sent: Tuesday, June 6, 2023 12:32 PM To: cas-user@apereo.org<mailto:cas-user@apereo.org> Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5 WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. DO NOT CLICK links / attachments unless you know that the content is safe! For suspicious emails, report using the Phish Alert Report button on the upper left of your email. For marketing/SPAM emails, delete. Niral, That version is VERY old. I suggest you use or upgrade to the latest version. See https://apereo.github.io/cas/developer/Maintenance-Policy.html It is possible that the properties you have do not work with that old version. You should be using the overlay instead of the main cas project https://github.com/apereo/cas-overlay-template The main cas project is for developers. See https://fawnoos.com/2022/08/06/cas66-gettingstarted-overlay/ Your application should not be calling to cas on a page refresh (unless it has a proxy dependency - which I will assume it does not). Once logged in, your application should set its own session lifetime - independent of cas. Cas is not an application session manager; it is an SSO manager. The timeouts you have been asking about are SSO session timeouts. Ray On Mon, 2023-06-05 at 18:25 +0000, 'Niral Kunadia' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Ray, When you say 'on that page for a few mins', what page are you talking about? – webpage of our app which is integrated with CAS login. If I login from this page or refresh this page, it is creating new ticket and I can see that on logs. I am using this repo: GitHub - apereo/cas at 5.3.x<https://github.com/apereo/cas/tree/5.3.x> Thank you, Niral From: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>>On Behalf OfRay Bon Sent: Monday, June 5, 2023 12:51 PM To: cas-user@apereo.org<mailto:cas-user@apereo.org> Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5 WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. DO NOT CLICK links / attachments unless you know that the content is safe! For suspicious emails, report using the Phish Alert Report button on the upper left of your email. For marketing/SPAM emails, delete. Niral, Ticket expiration is built in, nothing to include. When you say 'on that page for a few mins', what page are you talking about? Ray On Mon, 2023-06-05 at 13:21 +0000, 'Niral Kunadia' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Ray, You are correct, I am doing these steps Post your cas.ticket.tgt.* config and the steps that you are performing. I just tested with 6.5.9 and can confirm that these settings work: cas.ticket.tgt.primary.max-time-to-live-in-seconds=301 cas.ticket.tgt.primary.time-to-kill-in-seconds=120 Are there any dependencies I have to add or extra properties. Or Do I need to enable any other ticketing properties in configs? One more question: cas.ticket.tgt.primary.time-to-kill-in-seconds=120, for this even server is active/issuing new tickets, does session expire after 120 sec? I don’t want it to expire if I am on that page for few mins, it is just keep expiring session even there is activity. Can you please send me link for repo you are using? Thank you, Niral From: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>>On Behalf OfRay Bon Sent: Friday, June 2, 2023 4:35 PM To: cas-user@apereo.org<mailto:cas-user@apereo.org> Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5 WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. DO NOT CLICK links / attachments unless you know that the content is safe! For suspicious emails, report using the Phish Alert Report button on the upper left of your email. For marketing/SPAM emails, delete. Niral, Perhaps I am misunderstanding what it is that you are doing. Post your cas.ticket.tgt.* config and the steps that you are performing. I just tested with 6.5.9 and can confirm that these settings work: cas.ticket.tgt.primary.max-time-to-live-in-seconds=301 cas.ticket.tgt.primary.time-to-kill-in-seconds=120 Ray On Fri, 2023-06-02 at 17:30 +0000, 'Niral Kunadia' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Thank you Ray, I notice even I issue new ticket and keep server busy/active, it is still killing session instead of expanding session. I am using CAS 6.5.9 What is best scenario to test this or some logs or setting I need to add. Thank you, Niral From: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>>On Behalf OfRay Bon Sent: Wednesday, May 31, 2023 12:31 PM To: cas-user@apereo.org<mailto:cas-user@apereo.org> Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5 WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. DO NOT CLICK links / attachments unless you know that the content is safe! For suspicious emails, report using the Phish Alert Report button on the upper left of your email. For marketing/SPAM emails, delete. Niral, A refresh of the cas page may not be enough. You may have to get cas to issue a new ST [to a different application]. The service does not have to be real, just added to the service registry. Use this type of url to get cas to go through the login process and issue a ST. https://cas.host/cas/login?service=https://madeup.service<https://dev.uvic.ca/cas/login?service=https%3A%2F%2Fdemocasclientdev.uvic.ca%2Fdemocasclient%2Fcallback%3Fclient_name%3DCasClient> Ray On Wed, 2023-05-31 at 13:39 +0000, 'Niral Kunadia' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello Ray, Thank you for reply. This is very useful. cas.ticket.tgt.primary.max-time-to-live-in-seconds=240 cas.ticket.tgt.primary.time-to-kill-in-seconds=180 These are the setting and for testing I am following these steps. I am login with cas credentials to web page, after login refresh page every 10second or so for about three mins, I am getting authenticate message and I am logged in in web page. That means cas server is not idle and in cas logs I can see ‘Authentication event occurred ’ .So even after server is not idle and with activity , page is getting logout screen after three mins as we set cas.ticket.tgt.primary.time-to-kill-in-second=180. These settings work as expected if server is idle, but not with if server is not idle. Not able to find why this is happening. Thank you, Niral From: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>>On Behalf OfRay Bon Sent: Tuesday, May 30, 2023 2:09 PM To: cas-user@apereo.org<mailto:cas-user@apereo.org> Subject: Re: [cas-user] CAS session management - Ticket Expiration Policies - CAS 6.5 WARNING: THIS IS AN EXTERNAL EMAIL THAT ORIGINATED OUTSIDE OF OUR EMAIL SYSTEM. DO NOT CLICK links / attachments unless you know that the content is safe! For suspicious emails, report using the Phish Alert Report button on the upper left of your email. For marketing/SPAM emails, delete. Niral, TGT is for life of cas login session, not application session. I am not sure if cas can send logouts to services when TGT expires - that would create strange issues in the client applications. These settings will allow cas session length to increase beyond 30m only if user logs in to other services or visits cas to refresh a service, etc. (The values are in seconds. I seem to recall that the minimum value is 2m.) cas.ticket.tgt.primary.max-time-to-live-in-seconds=some-value-greater-than-1800 cas.ticket.tgt.primary.time-to-kill-in-seconds=1800 For viewing the reports, some additional info can be found, https://apereo.github.io/cas/6.5.x/monitoring/Monitoring-Statistics.html Ray On Tue, 2023-05-30 at 08:30 -0700, 'Niral Kunadia' via CAS Community wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello, I would like to set, if server is idle/no activity for 30 mins, users should automatically logoutand session should expire. If there is activity user stay login without logout. I tried to set these two properties in .properties file but it still logout user even if there is activity. management.endpoint.ticketExpirationPolicies.enabled=true management.endpoints.web.exposure.include=ticketExpirationPolicies cas.ticket.tgt.primary.max-time-to-live-in-seconds=120 cas.ticket.tgt.primary.time-to-kill-in-seconds=30 I also added decency - implementation"org.apereo.cas:cas-server-support-reports:${project.'cas.version'}" from CAS - Configuring Ticket Expiration Policy Components (apereo.github.io)<https://apereo.github.io/cas/6.5.x/ticketing/Configuring-Ticket-Expiration-Policy.html> Please any advice. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email tocas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/45a68565c1a13c0295f8fbbbcd49ef99805ac6fa.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/45a68565c1a13c0295f8fbbbcd49ef99805ac6fa.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email tocas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/27d203a9e36c1fffe0e04632a6b74b3e9a98563d.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/27d203a9e36c1fffe0e04632a6b74b3e9a98563d.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email tocas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e277ae05ca27972c7ce1e418db33325a81338311.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/e277ae05ca27972c7ce1e418db33325a81338311.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email tocas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/393206864cf874d7758a2abc5b68ae89151345a9.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/393206864cf874d7758a2abc5b68ae89151345a9.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group. To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/M-hrAO4jo3w/unsubscribe. To unsubscribe from this group and all its topics, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/52ae00b8afd0b859887659f70094d323109a5710.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/52ae00b8afd0b859887659f70094d323109a5710.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email tocas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20ca731a0cea05c993d5d002b8fb4ad4ab196448.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/20ca731a0cea05c993d5d002b8fb4ad4ab196448.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email tocas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ba33e3f3c3c3a1fce173922592919095bfc4136.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ba33e3f3c3c3a1fce173922592919095bfc4136.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email tocas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1847d18154f067cd0cf948c349cca4b723228bc.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1847d18154f067cd0cf948c349cca4b723228bc.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e2392cb3c117ae6cb9a3b9a000eb7bdf54533f15.camel%40uvic.ca.