Andrew, my experience using firefox and chrome (and I think IE as well) to access CAS protected applications differs. If the cookies are set right by the server, it is sufficient to kill the browser to force a new login.
I'm not claiming that public internet terminals are safe or that there are no ways to exploit this, but I would say that if your application remains accessible after your browser is restarted, then you should be looking at your application setup and then your CAS setup to ensure that the cookies are set to expire upon the end of the session (and that the caching control is also set properly for sensitive pages). None of this is foolproof, but basic safeguards should be maintained. David Ohsie Software Architect EMC Corporation From: Andrew Petro [mailto:ape...@unicon.net] Sent: Thursday, February 28, 2013 2:43 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Public computer login and CAS I believe this is a well-known issue. Modern browsers take liberties with their interpretation of the duration of session-scoped cookies, such that merely closing the web browser is no longer sufficient. Users need to either explicitly log out of CAS to end their single sign-on session and out of your application to end their session with your application, or explicitly log out of their operating system desktop session to prevent others from accessing it. The latter is far preferable. You can try to make explicit logout from CAS have a side effect of single logout callbacks to your application to also log the user out of the application, but this doesn't address the root issue of there being a window of time within which the end user has valid session cookies that the browser did not clean up on browser close such that re-opening the browser can resurrect them. Known shared browser installs can and should be configured to implement a tighter understanding of what a session cookie's duration ought to be. To the extent that you're curating browser installs for, say, known-shared computers in computer labs on a campus, those browser installs should be so configured. Internet cafe purveyors ought to do this. Most probably don't. Then again, I just assume that all Internet cafe computers are equipped with at least one malware keystroke logger. [1] Otherwise, end users really really should be afforded the opportunity to fully log out of their operating system sessions, and should do so when leaving a shared computer. [1]: A quick Google search suggests I'm not far off -- four out of ten internet cafes providing keystroke loggers with their lattes in this one study. http://www.jiti.net/v11/jiti.v11n3.169-182.pdf On Thu, Feb 28, 2013 at 2:08 PM, Ohsie, David <david.oh...@emc.com> wrote: Do you have "Remember Me" turned on? If not, it is possible that either the session cookies from your site are persistent (with an an explicit Expires/MaxAge) or else the cache control headers are allowing some pages to remain withing the browser cache. From: Danny Sinang [mailto:d.sin...@gmail.com] Sent: Thursday, February 28, 2013 12:55 PM To: cas-user@lists.jasig.org Subject: [cas-user] Public computer login and CAS Hi, I noticed that closing and reopening my browser allows me to access protected webpages on my CASified site. This could be a problem if I logged in from a public computer (internet cafe, etc). Is there a way to secure against this ? Regards, Danny -- You are currently subscribed to cas-user@lists.jasig.org as: david.oh...@emc.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: david.oh...@emc.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
smime.p7s
Description: S/MIME cryptographic signature
