> Doesn't seem like a big stretch to add the capability on the client to > check the validity of the session
Something already exists that could serve the purpose: the useSession flag on all ticket validation filters; see http://www.ja-sig.org/wiki/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+in+the+web.xml for more info. Setting that option to false will cause the client to request and validate a CAS ticket for every request to the client application. Clearly this would have a performance impact on both the client application and the CAS server. I realize that this feature is not the best implementation of a periodic check on the CAS server to ensure the SSO session is still alive, but it could be used for that purpose. > seems like this > would enhance the security provided by CAS. My initial reaction to that claim is that the CAS SSO session and the application session are independent in every way and I can't see what additional security would be gained by coupling them. I'd be happy to consider another view if you could elaborate on your idea. M -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user