ideas for persistence login session

17 views
Skip to first unread message

Pablo Vidaurri

unread,
Jul 27, 2022, 3:16:17 PMJul 27
to CAS Community
Currently CAS TGT is an 8hr session, ST is a 2hr session. Client is requesting to enable certain parts of their site (protected) to include a longer ST (for weeks) while maintaining a 2hr session for other secured parts like "Account/Profile".

I understand the application needs to change, but is there anything on the CAS side that I can do to help in this effort?

Would JWT help? When a user successfully logs in, issue a JWT good for 4 weeks with user's credentials. Now lets assume the TGT/ST are no longer valid and the user is trying to access part of the site where not logging is not required for days (protected area). The JWT would then be used to auto login the user. Achievable or pure abuse?

Also considered increasing the TGT TTL for weeks and  creating separate services to define an AuthenticationDateRegisteredServiceSingleSignOnParticipationPolicy of 2hrs/8hrs, etc but this this means certain parts of the site need to be under specific URL patterns.

Any suggestions?

-psv

Carl Waldbieser

unread,
Jul 27, 2022, 5:03:17 PMJul 27
to cas-...@apereo.org
The ST generally should have a lifetime measured in seconds.  Since it is single use, it doesn't really make sense to issue one, have a client hold on to it for an hour, and finally use it.  The lifetime should generally reflect the anticipated network time for the client to receive the ST and validate it.

For the TGT, you can set that however long makes sense for your SSO sessions.  2 hours works for my organization.  You may need a longer time measured in days or weeks, I guess, but it seems like users should be using something like a password manager if they can't log in at least once a day?  It really depends on the policies in your organization.

Thanks,
Carl Waldbieser


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/793b6932-8c4d-48d3-a5e7-945988566788n%40apereo.org.

Ray Bon

unread,
Jul 27, 2022, 5:35:08 PMJul 27
to cas-...@apereo.org
Pablo,

The long running pages could be added as a service with longer TGT life, https://apereo.github.io/cas/6.5.x/ticketing/Configuring-Ticket-Expiration-Policy.html#per-service

Ray

On Wed, 2022-07-27 at 12:16 -0700, Pablo Vidaurri wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
-- 
Ray Bon
Programmer Analyst
Development Services, University Systems

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

Richard Frovarp

unread,
Jul 27, 2022, 7:34:15 PMJul 27
to cas-...@apereo.org
I would change the application and not do it via CAS. Changing the application session timeout to what they want. Because otherwise it will do a SSO session again, which will interrupt anything the end user is trying to do with the browser open for the past two days. So anything done via CAS won't give a good user experience.
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Ray Bon <rb...@uvic.ca>
Sent: Wednesday, July 27, 2022 4:34:56 PM
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] ideas for persistence login session
 
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

Pablo Vidaurri

unread,
Jul 28, 2022, 10:07:57 AMJul 28
to CAS Community, richard.frovarp
Sorry,  waldbiec is correct ... ST is using the default value of 10 sec ... I meant the application session is 2hrs. 

Basically we are looking at how to mimic sites like amazon ... once you login you can browse for days, add stuff to your cart, maybe even check out. But once you go to modify your account details (shipping/billing, etc) you get prompted to login again.

-psv

Richard Frovarp

unread,
Jul 28, 2022, 10:36:12 AMJul 28
to cas-...@apereo.org
Amazon stores a decent amount of info at the account layer. Different application sessions across different devices share cart. But the solution for this is to do it at the application layer. Extend the session out there. Then at the security layer, it should have the functionality to know when the last authentication was. If they are doing something that requires higher security, that last login time is queried and a forced authentication is done if it isn't high enough. You could do a normal SSO auth if your IdP session is less than your critical time period. You can force an auth through CAS, even with an active session, but using the renew option.

Pablo Vidaurri

unread,
Aug 16, 2022, 12:32:22 PMAug 16
to CAS Community, richard.frovarp
How can I enforce the renew option? It looks like a query parameter which the user can remove and bypass forced authenciation.
Reply all
Reply to author
Forward
0 new messages