Likely such a check can be added, yes. The underlying problem is that of CAS service and proxy tickets being one-time-use but refreshing the browser results in re-presenting the used-up ticket, which is indistinguishable from presenting a new bogus ticket or an otherwise legitimate but expired ticket.
A classic response to this problem is to introduce a filter or other mechanism post-authentication to redirect the browser to a URL unencumbered by extraneous ticket= parameters in the URL. This has the result of presenting a more attractive, even possibly bookmarkable, URL in the address bar and emphasizes that what is identifying and authenticating the user at that point is an application-specific session cookie. The ticket removed from the address bar, it also becomes more difficult for the user to accidentally re-present the ticket via page refresh. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Kris Melotte > Sent: Tuesday, July 11, 2006 11:41 PM > To: Yale CAS mailing list > Subject: page refresh issue > > Hello, > > I've installed CAS 3.5 RC2 and CAS Java Client 3.0.0-m1. > > When I have been logged in successfully, CAS redirects me to the > application. Pressing the page refresh button at this time results in an > error as the CasValidationFilter tries to re-validate the ticket in the > request for a second time. > > Perhaps someone mentioned this already but I think this can be fixed by > checking on assertion==null, in a similar way as was done in the > CasAuthenticationFilter. > > Best regards, > Kris > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
