CAS 5.2.5 - One user sees a different user's profile after logging in!

[Ganesh Prasad]

Hi all,

This is a serious issue, and I think it may have something to do with caching.

I have a user (say User1), who logs into CAS using delegated authentication against an external IdP using pac4j.

I have another user (say User2), who belongs to a different organisation, and who logs into CAS using a local LDAP username and password.

Today, User2 logged in and saw User1's name displayed on the screen. I assume that the rest of the profile (based on the SAML token) was also that of User1. Needless to say, this is a serious issue.

The problem could not be reproduced, but we have screenshots that prove that User2 did see User1's name on screen. They had no idea such a user even existed until they saw it on screen.

Any ideas why this could be happening? Is there a simple setting to turn off caching somewhere? I'm hoping it's something as simple as that.

Regards,

Ganesh

[Geng, Kelly]

Hi Ganesh,

Are the users' login IDs similar with each other in your case? We are seeing similar behaviors intermittently with two users having very similar login IDs, for example brownljb and brownll5, which shared the fist 6 letters.

Thanks,

Kelly

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fdf9e9ca-8ca0-4853-883f-32af4de4d019%40apereo.org.

--

Kelly

[Ray Bon]

Ganesh,

Was the place where the name was displayed a CAS page or was it the client application?

Was it the same browser (after User1 logged out)?

Were both users active at the same time, perhaps behind a common router?

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[Ganesh Prasad]

Hi Kelly,

That's an intriguing possibility, because the email addresses (which are our user names) were both in "firstname.lastname" format, and the first names of the two users were "cassandra" and "sandrine", with the letters "sandr" in common between them.

It would be weird if that was the reason.

Regards,

Ganesh

[Ganesh Prasad]

Hi Ray,

1. The name was displayed in the client application. The client app retrieves the name from the database, based on the email id sent through the SAML token. Unless the token itself is wrong, it can't retrieve another user's name.

2. Different browsers. The users are in different organisations.

3. It's possible that they were both active at around the same time, but it's unlikely that they shared a router, because their offices are in different parts of town.

A related piece of weird behaviour I found was with the pac4j SAML2 integration with an external IdP. One of our customers had given me a temporary username and password on their Active Directory so I could test the login into our client application. Months later, I was still able to log into our application using these credentials, although they had disabled my account on their AD. Something was getting cached along the way, either on my browser or on CAS. I couldn't log in with a new browser.

I suspect that there is some caching of data on CAS, and it gets assigned to another user session under certain circumstances. I further think it has something to do with pac4j rather than with core CAS.

Regards,

Ganesh