CAS - Remember me/Long term authentication when IP changes does not work

[Catalin Dobrea]

Hi,

We use CAS 5.2.4 to protect some of our web apps and have SSO over them.

One of our clients complains about this scenario:

 

 - The user authenticates successfully, via "Remember me" option presented on the login form offered by CAS. (I can confirm that this long term authentication works, for e.g. I'm closing Chrome from memory and then when visiting the app no login is required)

 - The users of the client are pretty much in the move, so they access the apps we offer (protected by CAS) from different places: mobile network, different wifis.

 - So they complain that when they change the network they are required to authenticate again even though they checked before the "Remember me" option.

So my questions are:

 - Is this long term authentication sensible to IP changes? 

 - How this can be bypassed?  - I scrolled thorough cas.properties to see anything that might tweak this scenario but I was unable to identify any of those

 - I was able to reproduce this problem locally on my dev env, by switching networks, another important thing is that devices from which they access our apps are iPADs with Safari iOS 12 or so. I used an iPad as well when reproducing this scenario

   Can this also be the cause? because sometimes is a nightmare doing custom things for iOS. So, can it happen that the TGC is not being sent on Safari iOS when the network changes?

Any starting point, helping me to find a fix or at least an explanation if this scenario is intended, would be really appreciated!

Thanks

[Ray Bon]

Catalin,

'Remember me' is a CAS session option and has nothing to do with your app session. Closing your browser and keeping the log in to your app means that your app has a long term cookie that lives while your browser is closed.

The CAS TGC, by default, will expire if the browser is closed. If you visit a new app you would have to log in again.

If your apps require log in after a network change, that is an app config issue.

Are users closing the browser when switching networks?

If you want to see 'Remember me' in action, after logging in to your app and waiting the minimum CAS session time, delete your app's cookies (not CAS cookies). When you revisit your app, you will be redirected to CAS and log in will proceed automatically.

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

[darKu]

Hi Ray,

First of all thank you for your interest into this problem. 

Remember me works. 

User logs in with remember me checked 

Close browser, on windows I close Chrome from taskbar/taskmanager, since chrome is working somehow in the backround. On iPad I close safari from running apps 

When I open up again Chrome and check the cookies just the TGC is present since remember me was used, no app cookie as you stated out, app cookie expired when the browser was closed, as well TGC will not be present if the user didn't check remember me - the same thing you stated out. 

Then I access the app. It works in both scenarios :pc and iPad

However if I switch the network and I will be doing the same step then instead I get redirected to the login form. 

So why in this case cas tgc doesn't get validated or sent? (maybe just the iPad is the troublemaker not sending the tgc? ) as I said I was able to reproduce it on my DEV.

 I have to try in prod on my laptop and see if I switch on my laptop the network will this work or not. 

Regarding your statement about app session. Hmmm that would be interesting to try. Definitely here I have more control so I should be doing the app session as long term authenticated 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1544032921.2944.71.camel%40uvic.ca.

[Ray Bon]

I am running CAS 5.2.7 and the TGC has session lifetime regardless of 'Remember me'. If I close my browser, the TGC will be removed (firefox and chrome). I could be wrong, but I understand 'Remember me' as a way of providing an SSO session that is longer than the app session (not a way to persist across browser shutdowns). When the app session ends, it goes back to CAS where log in is automatic.

If the TGC is still present after you close your browser, it could be odd browser behaviour.

What version of CAS are you using?

I have not been in a position to test switching networks, so can not provide first hand experience in this regard.

It is possible that the TGC is bound to an ip address. I have not looked at the code for its creation. Perhaps a security measure to prevent two different devices from using the same TGC.

Ray

[darKu]

Hi Ray,

Is about cas 5.2.4

I can confirm that the tgc is persistent during browser restarts and not persistent when remember me is not checked. 

When remember me is not checked, the tgc in Chrome is marked as "until the browser session ends" 

You are totally corect with your statement about remember me. But taken the more common example with fb. You log in once, then nobody will bother you ever again. Lol.

You close the browser so then the conclusion is that the cookie remains there 

I can send you later some sshots to show you how the tgc is showing up there. 

I tested this scenario by connecting my laptop to my hotspot on my phone. The only subtle difference is that I needed to switch also my laptop running cas to that hotspot and also the client in my case the iPad. Otherwise these 2 devices are not be able to see each other. 

In the original scenario, only the client network will change, the server will be the same. 

So yeah I don't know. I have to determine first if this is only reproducible on iPad. This bling bling device is such a troublemaker in general 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1544055504.2944.90.camel%40uvic.ca.

[Pascal Rigaux]

On 05/12/2018 10:43, Catalin Dobrea wrote:
>  - Is this long term authentication sensible to IP changes?

Yes.

Cf https://github.com/apereo/cas/blob/master/core/cas-server-core-cookie-api/src/main/java/org/apereo/cas/web/support/DefaultCasCookieValueManager.java#L81-L84

>  - How this can be bypassed?  - I scrolled thorough cas.properties to see anything that might tweak this scenario but I was unable to identify any of those

Switching from DefaultCasCookieValueManager to NoOpCookieValueManager will bypass ip check.
An easy way to do should be cas.tgc.crypto.enabled=false
(not tested on 5.x, we've done it on 4.2.x, but it is similar but different)

Réfs :
- https://github.com/apereo/cas/blob/master/core/cas-server-core-cookie/src/main/java/org/apereo/cas/web/config/CasCookieConfiguration.java#L48
- https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#signing--encryption-5

--
Pascal Rigaux

Expert en développement et déploiement d'applications
DSIUN-SAS (service applications et services numériques)
Université Paris 1 Panthéon-Sorbonne - Centre Pierre Mendès France (PMF)
B 407 - 90, rue de Tolbiac - 75634 PARIS CEDEX 13 - FRANCE
Tél : 01 44 07 86 59

[Catalin Dobrea]

Hi Pascal,

Thank you very much!

Will have to check your solution, wooow, if just by disabling crypto on the TGC will work that would be awesome since no changes should be required

I enabled crypto on many flows on CAS so definitely I should give it a try.

[Jozef Kotlar - EEA.sk]

We have developed alternate implementation of CookieValueManager - only UserAgent is encoded into TGC.

See github - https://github.com/dodok1/cas-support-cookie-roaming

Anyway, Pascal answer should work as you are OK with the TGC flowing in the network unecrypted (but that not apply if your all services are HTTPS)..

Dodo

[darKu]

Hi Josef, 

Thank for your input as well.

Yes we are on https only. 

Also I had to disable the tgc encryption for a customer when I had to implement some automatic login, so I don't think disabling tgc would be a problem. 

Haven't had time yet to test this solution.

--

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/edbb7b42-6583-4fd0-a97d-7230cf0eb79d%40apereo.org.