Cas Cookie
58 views
Skip to first unread message
merve ceylan
Sep 20, 2019, 2:25:20 AM9/20/19
to CAS Community
Hello,
After logging in with cas, when I close the browser and open it again, it becomes a logout and the login screen appears again. Session closes and the cookie is deleted. What should I do to avoid logout when I close the browser?
Thanks,
David Curry
Sep 20, 2019, 7:46:15 AM9/20/19
to cas-...@apereo.org
That's how it's supposed to work. The CAS cookies are session cookies. When you end the session (close your browser), the cookies are deleted.
Managing application sessions is outside of CAS' scope. If an application wants to stay logged in across browser sessions, then that application should have its own cookie to do that. Lots of applications do that if you check some sort of "stay logged in" box -- Google, Facebook, Twitter, etc.
--
DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ed7e3085-7fbc-45a5-acd0-7db7fe9e575c%40apereo.org.
merve ceylan
Sep 20, 2019, 8:42:36 AM9/20/19
to CAS Community
Hi,
The application will register how the user reads from the cas's database. After logging into the cas application with casuser without connecting the application, I close the browser and it is automatically logout. Is this Cas's working mechanism? Can't we put a timeout for that?
Thanks,
20 Eylül 2019 Cuma 14:46:15 UTC+3 tarihinde David Curry yazdı:
20 Eylül 2019 Cuma 14:46:15 UTC+3 tarihinde David Curry yazdı:
That's how it's supposed to work. The CAS cookies are session cookies. When you end the session (close your browser), the cookies are deleted.Managing application sessions is outside of CAS' scope. If an application wants to stay logged in across browser sessions, then that application should have its own cookie to do that. Lots of applications do that if you check some sort of "stay logged in" box -- Google, Facebook, Twitter, etc.--
DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu
On Fri, Sep 20, 2019 at 2:25 AM merve ceylan <mrvec...@gmail.com> wrote:
Hello,--After logging in with cas, when I close the browser and open it again, it becomes a logout and the login screen appears again. Session closes and the cookie is deleted. What should I do to avoid logout when I close the browser?Thanks,
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.
David Curry
Sep 20, 2019, 8:51:52 AM9/20/19
to cas-...@apereo.org
No, you can't put a timeout on it. That's now how session cookies work. Again, if you want an application to stay logged in across browser invocations, that is the application's responsibility.
I do not understand what you mean by "the application will register how the user reads from the cas's database." Users and applications do not read from CAS' database(s).
But if you log in directly to the CAS UI by going to https://casserver/cas/login that's fine; once you're logged in just open the application you want in the same invocation of the browser -- the same window, a new window, a new tab, whatever.
--
DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY
71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a18de201-2fcc-4535-926a-8b7855659a57%40apereo.org.
Ray Bon
Sep 20, 2019, 12:46:11 PM9/20/19
to cas-...@apereo.org
Merve,
Allowing CAS session after browser close would be a HUGE security vulnerability. Do not try to get around this, do not even think about it.
Ray
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Appify
Sep 20, 2019, 1:52:30 PM9/20/19
to cas-...@apereo.org
You can enable the remember me feature from CAS if that solves the problem.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f7e1447d91d8e63c4123e3beb047d01ac0ea2f2f.camel%40uvic.ca.
Andy Ng
Sep 23, 2019, 9:39:19 AM9/23/19
to CAS Community
Hi all,
While I do agree that allowing CAS session after browser close is very much a security vulnerability and would suggest against it, there is indeed a config to allow such thing to happen:
> cas.tgc.maxAge=-1
If one modified this to an positive number, you will get the behavior of CAS session after browser close and re-open.
Again do not recommend doing it.
Cheers!
- Andy
Reply all
Reply to author
Forward
0 new messages