Multiple SSO Sessions in same browser
51 views
Skip to first unread message
David Albrecht
Jul 19, 2019, 7:42:39 AM7/19/19
to CAS Community
Hi all,
we are currently using CAS 5.3.3 and recently expierienced that a user is able to create multiple SSO sessions (Ticket granting tickets) by doing the following:
1. Open one service (SERVICE_1) which is using the CAS SSO in one tab (TAB_1). The user is then redirected to the CAS Login page but does not login yet!
2. Open another service (SERVICE_2) which is using the CAS SSO in a second! tab (TAB_2). The user is then redirected to the CAS Login page, logs in and is redirected to the service. CAS creates a SSO session with the authenticated service (SERVICE_1).
3. Go back to TAB_1 and login. CAS creates a second SSO session with the authenticated service (SERVICE_2)
As result two sessions exist. This is a behaviour we didn't expect. Since we are also using the single logout this result in the problem that when logging off only one of the SSO sessions is terminated and as consequence the BACK_CHANNEL logout request is only send to one service and the user is still logged on at the other.
Technically we saw that the existing TGT cookie is actually ignored when submitting the user credentials if it didn't exist when opening the login page.
For now we solved this by changing the login-webflow.xml to make sure that the initialFlowSetupAction is also executed when submitting the user credentials:
<view-state id="viewLoginForm" view="casLoginView" model="credential">
<binder>
<binding property="username" required="true"/>
<binding property="password" required="true"/>
</binder>
<transition on="submit" bind="true" validate="true" to="initialFlowSetupAction" history="invalidate"/>
</view-state>
<action-state id="initialFlowSetupAction">
<evaluate expression="initialFlowSetupAction"/>
<transition on="success" to="checkTicket"/>
</action-state>
<action-state id="checkTicket">
<evaluate expression="ticketGrantingTicketCheckAction"/>
<transition on="valid" to="hasServiceCheck"/>
<transition on="invalid" to="realSubmit"/>
<transition on="notExists" to="realSubmit"/>
</action-state>
<action-state id="realSubmit">
<evaluate expression="authenticationViaFormAction"/>
<transition on="warn" to="warn"/>
<transition on="success" to="createTicketGrantingTicket"/>
<transition on="successWithWarnings" to="showAuthenticationWarningMessages"/>
<transition on="authenticationFailure" to="handleAuthenticationFailure"/>
<transition on="error" to="initializeLoginForm"/>
</action-state>
However we are wondering if this behaviour of CAS is intended and if yes, what are the reasons behind it.
we are currently using CAS 5.3.3 and recently expierienced that a user is able to create multiple SSO sessions (Ticket granting tickets) by doing the following:
1. Open one service (SERVICE_1) which is using the CAS SSO in one tab (TAB_1). The user is then redirected to the CAS Login page but does not login yet!
2. Open another service (SERVICE_2) which is using the CAS SSO in a second! tab (TAB_2). The user is then redirected to the CAS Login page, logs in and is redirected to the service. CAS creates a SSO session with the authenticated service (SERVICE_1).
3. Go back to TAB_1 and login. CAS creates a second SSO session with the authenticated service (SERVICE_2)
As result two sessions exist. This is a behaviour we didn't expect. Since we are also using the single logout this result in the problem that when logging off only one of the SSO sessions is terminated and as consequence the BACK_CHANNEL logout request is only send to one service and the user is still logged on at the other.
Technically we saw that the existing TGT cookie is actually ignored when submitting the user credentials if it didn't exist when opening the login page.
For now we solved this by changing the login-webflow.xml to make sure that the initialFlowSetupAction is also executed when submitting the user credentials:
<view-state id="viewLoginForm" view="casLoginView" model="credential">
<binder>
<binding property="username" required="true"/>
<binding property="password" required="true"/>
</binder>
<transition on="submit" bind="true" validate="true" to="initialFlowSetupAction" history="invalidate"/>
</view-state>
<action-state id="initialFlowSetupAction">
<evaluate expression="initialFlowSetupAction"/>
<transition on="success" to="checkTicket"/>
</action-state>
<action-state id="checkTicket">
<evaluate expression="ticketGrantingTicketCheckAction"/>
<transition on="valid" to="hasServiceCheck"/>
<transition on="invalid" to="realSubmit"/>
<transition on="notExists" to="realSubmit"/>
</action-state>
<action-state id="realSubmit">
<evaluate expression="authenticationViaFormAction"/>
<transition on="warn" to="warn"/>
<transition on="success" to="createTicketGrantingTicket"/>
<transition on="successWithWarnings" to="showAuthenticationWarningMessages"/>
<transition on="authenticationFailure" to="handleAuthenticationFailure"/>
<transition on="error" to="initializeLoginForm"/>
</action-state>
However we are wondering if this behaviour of CAS is intended and if yes, what are the reasons behind it.
Reply all
Reply to author
Forward
0 new messages