CAS 5.2.3 Remember Me configuration

[Laura]

Hi,

I have been trying to implement Remember Me functionality in our CAS application. However it doesn't work and I am not sure why. From the logs, I can see that the cookie is created.

 DEBUG [org.apereo.cas.web.support.CookieRetrievingCookieGenerator] - <Locating request parameter [rememberMe] with value [true]>

 DEBUG [org.apereo.cas.web.support.CookieRetrievingCookieGenerator] - <Is this request from a remember-me authentication event? [yes]>

 DEBUG [org.apereo.cas.web.support.CookieRetrievingCookieGenerator] - <Creating cookie [TGC] for remember-me authentication with max-age [1209600]>

The user gets authenticated fine however the user gets logged out when the session expires. Here are the relevant properties. I set cas.tgc.secure to false for the local environment only.

cas.tgc.maxAge=-1

cas.tgc.name=TGC

cas.tgc.secure=false

cas.tgc.httpOnly=false

cas.tgc.rememberMeMaxAge=1209600

cas.tgc.path=/cas

cas.tgc.domain=/cas

cas.ticket.tgt.rememberMe.enabled=true

cas.ticket.tgt.rememberMe.timeToKillInSeconds=28800

Could someone point me in the right direction? I did read the documentation but I'm still unsure if all my properties are correct or if I need to do anything else.

Let me know if you need more information about configuration, logs etc.

Thanks.

Laura

[Ray Bon]

Laura,

Are you saying that when your client application's session ends, it sends a logout request to CAS?

The settings for CAS only affect the ability to participate in SSO sessions. It has nothing to do with the client application.

The client should _not_ send logout to CAS when its session ends, it may when the user chooses to logout.

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[Laura]

Hi,

When I examine cookie information after logging in with Remember Me, there is a TGC cookie with an expiry date 'at end of session'. From my understanding, it should show the expiry date (1 month from now). Which implies that my CAS remember me config is not correct. 

I am very new to CAS so my understanding might be incorrect.

Thanks,

[Ray Bon]

Setting maxAge=-1 will result in cookie expiry at end of session.

I have this in my config but it may be for 5.1:

# default is P14D

# used to set maxAge on user selection of remember me at login

# it is always set regardless of user choice; this is a bug to investigate

# file: https://github.com/apereo/cas/blob/5.1.x/support/cas-server-support-cookie/src/main/java/org/apereo/cas/web/support/CookieRetrievingCookieGenerator.java

cas.tgc.rememberMeMaxAge=-1

I have not had time to investigate this and my note is not entirely clear.

With rememberMeMaxAge=-1, the user can still have an 8 hour session (timeToKillInSeconds=28800) as long as the browser stays open. TGT lifetime takes priority, thus setting TGC to 1 month and TGT to 8 hours will result in user having to log in after 8 hours.

Ray