Hello cas-users, I got a two services working with CAS SSO. But as a service ticket (ST) is only valid for the actual log-in and a very short time, I was wondering how one should approach two things:
1) re-validate the user is still logged into CAS, a.k.a. has a valid TGT having a much shorter application session lifetime than the TGT lifetime might be. (This completely ignores the fact that one could simply do support Single-Log Out (SLO) for the service so CAS can invalidate old TGTs.) 2) extending the lifetime of the TGT through activity in one (or more services) but without sending the user to the CAS login page again? Should one simply embed a request to the CAS webserver into every service website so the user-agent does requests to CAS from time to time? Maybe via a simple AJAX request? How does one throttle those requests then? I have seen the diagram on https://jasig.github.io/cas/development/installation/Logout-Single-Signout.html but am still wondering if a user would not expect to still be logged in (valid TGT) after being active for some time in one service for a while, somehow "showing" activity. Of course one could argue that switching between services occasionally and therefor ending up being redirected to CAS should be enough to maintain the TGT, but imagine a rather short TGT lifetime (sliding window, so expecting activity) and a user being active in an long lived application like an groupware or a soft phone. If the user shows some sort of activity where, extending the TGT and therefor staying logged is what the user would expect. Regards Christian -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user