renew=true, risk of bypassing?
75 views
Skip to first unread message
Pablo Vidaurri
Aug 16, 2022, 1:13:05 PM8/16/22
to CAS Community
So I have an application with certain parts allowing a long SSO session and other areas that require login every time.
I know I can leverage the renew query parameter but how to avoid the user from simply removing it and then access the secured part of the app without logging in again?
For example, I want the user to provide their credentials every time they access their profile. So if there is already have an active session for https://www.myapp.com and they access their profile, i will redirect them to https://www.mycas.com/auth/login?renew=true&TARGET=https://www.myapp.com/myprofile
This works, but I can also remove the renew query parameter and directly hit myprofile page since I already have a session to the app.
Richard Frovarp
Aug 16, 2022, 1:30:43 PM8/16/22
to cas-...@apereo.org
Part of the response metadata coming
back is if the authentication is from a new login. I think it will
also tell you what time the auth happened. Don't trust the user
provided data, validate that what CAS is telling you matches your
security requirement. If it doesn't, don't let them pass.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ea11170-164e-4408-bc66-422bf188c108n%40apereo.org.
Misagh
Aug 16, 2022, 1:34:41 PM8/16/22
to CAS Community
When you validate the ticket, specify "renew=true".
Review this:
https://apereo.github.io/cas/6.5.x/protocol/CAS-Protocol-Specification.html#251-parameters
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/97bfa18a-9e8c-eb4c-b2fe-39bcac657d7a%40ndsu.edu.
Review this:
https://apereo.github.io/cas/6.5.x/protocol/CAS-Protocol-Specification.html#251-parameters
Ray Bon
Aug 16, 2022, 1:39:07 PM8/16/22
to cas-...@apereo.org
Pablo,
You can turn off SSO for an application in the service definition, https://apereo.github.io/cas/6.5.x/services/Configuring-Service-Access-Strategy.html
Ray
On Tue, 2022-08-16 at 10:13 -0700, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.
Pablo Vidaurri
Aug 16, 2022, 1:45:19 PM8/16/22
to CAS Community, Ray Bon
cant as the same app requires normal session and renew session ... exploring Misagh's suggestion of renew on ticket validation
Reply all
Reply to author
Forward
0 new messages