I "guess" one could consider doing a recurring validation of the user's session as session management that is beyond the scope of the CAS client but seems to me that is what the client is doing anyway with the Assertion object on the initial authentication. e.g before login there is no Assertion on the session and after authentication the client puts the Assertion on the session and from there forward the client decides by checking the session that the user doesn't need to login again, sounds like session management to me. Doesn't seem like a big stretch to add the capability on the client to check the validity of the session (at least as far as it being an authenticated session is concerned) against the CAS server and update the Assertion object appropriately. Just an observation... but seems like this would enhance the security provided by CAS.
Anyway..., I understand that this is not how it is intended work. Thanks for the confirmation. -- View this message in context: http://n4.nabble.com/CAS-ST-validation-after-authentication-tp1474581p1474800.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user