Axel, What benefit would the CAS server get if it remembered the session cookie transmitted by the application server? If anything, this puts an unnecessary burden on the CAS server for now it must remember another piece of information that will have to be kept in memory, replicated within the cluster and expired whenever the user logs out.
As for the CAS 3.1+ single-sign out functionality, you should not worry about this being a miniature DoS. It is the same amount of traffic regardless of the CAS server initiating the logout process versus the user; 1 CAS Server x N logout requests = 1 User x N applications to logout of. Andrew R Feller, Analyst University Information Systems 200 Fred Frey Building Louisiana State University Baton Rouge, LA, 70803 (225) 578-3737 (Office) (225) 578-6400 (Fax) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Axel Mendoza Pupo Sent: Sunday, April 27, 2008 10:56 PM To: [email protected] Subject: org.jasig.cas.util.HttpClient I was looking at this class because of when the ticketGrantingTicketImpl.expire() method is executed behind the scenes an http connection is made to the webapps to logout, and all is great, but analizing deeply in the system the HttpClient class when make a connection to the webapps did not maintain any kind of session and for every connection it would be creating an httpSession on the destiny webapp. I think that if its possible the HttpClient should maintain the session to reuse in case that is necessary like the browsers. And another question: this is not a little DoS(Denial of Service) attack??? _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
