CAS 6.1 - Browser Issue

[Emre Ermişoğlu]

Hello,

I installed CAS 6.1 and we are currently testing this instance. We are only using LDAP and Database authentication. When we test the CAS with Firefox, it works fine. After we enter correct credentials, it redirects user to applications (Expected behavior). 

However when we test it with IE or Chrome, we get a different behavior. After entering correct credentials, most of the time , it refreshes the login page instead of redirecting user to application and it is not creating any ticket. (When I check the logs, I dont see any LDAP connection or Database connection ).  And when we restart the application server, it works fine for couple tries. Then it starts refreshing the login page again. 

I dont see any error in the log files. Did anyone have the similar issue? Any idea?

Browsers that I use:

Firefox 78.0.1

IE  11.1932.16299.0CO

Chrome  83.0.4103.116

Regards,

Emre

[Ray Bon]

Emre,

If you start with private/incognito windows, do you get the same behaviour? It is possible that chrome and ie are holding on to prior cas sessions.

Check your cas cookie settings, cas.tgc.xxx. Browsers are becoming more strict with the cookie settings.

Not related to browsers, but do you have multiple cas hosts? If so, are your cas sessions being shared (ticket storage)?

Try turning up the logging level in cas to see if it provides some clues.

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Emre Ermişoğlu]

Thank you Ray for your quick response.

-  When I start with private/incognito windows, I get the same behavior.

-  I tried different cookie settings ( cas.tgc.xxx).  Still same issue

- No, we have only one host. Sessions are not being share with any other CAS instance.

- I created a log file (for  org.apereo.* classes) for IE login attempt and another log file (for  org.apereo.* classes)  for Firefox login attempt.

When I compared these log files, I realized that. In both log files, I see that "AbstractWebApplicationService" is created (Second time). And until this point (From server start to "AbstractWebApplicationService" is created second time), everything is same.

After this point :

For IE, I get these logs:

TRACE [org.apereo.cas.web.support.gen.TicketGrantingCookieRetrievingCookieGenerator] - Removed cookie 'TGC'

TRACE [org.apereo.cas.web.support.WebUtils] - Evaluating request to determine if warning cookie should be generated

TRACE [org.apereo.cas.audit.spi.principal.ThreadLocalPrincipalResolver] - Resolving principal at audit point [execution(Event org.apereo.cas.web.flow.resolver.impl.RankedMultifactorAuthenticationProviderWebflowEventResolver.resolveSingle(RequestContext))]

TRACE [org.apereo.cas.audit.spi.FilterAndDelegateAuditTrailManager] - Recording audit action context [org.apereo.inspektr.audit.AuditActionContext@35335fa4]

INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: [event=success,timestamp=Thu Jul 09 10:12:35 CDT 2020,source=RankedMultifactorAuthenticationProviderWebflowEventResolver]

ACTION: AUTHENTICATION_EVENT_TRIGGERED

APPLICATION: CAS

WHEN: Thu Jul 09 10:12:35 CDT 2020

CLIENT IP ADDRESS: x.x.x.x

SERVER IP ADDRESS: x.x.x.x

=============================================================

After that, it reloads the login page.

-------------------------------------------

However in Firefox log: 

I get these logs after "AbstractWebApplicationService" is created second time:

TRACE [org.apereo.cas.util.EncodingUtils] - Successfully decoded value. Result in Base64url-encoding is [****************************************************************************]

TRACE [org.apereo.cas.services.web.ChainingThemeResolver] - Attempting to resolve theme via [CookieThemeResolver]

TRACE [org.apereo.cas.services.web.ChainingThemeResolver] - Attempting to resolve theme via [SessionThemeResolver]

TRACE [org.apereo.cas.services.web.ChainingThemeResolver] - Attempting to resolve theme via [RequestHeaderThemeResolver]

TRACE [org.apereo.cas.services.web.ChainingThemeResolver] - Attempting to resolve theme via [RegisteredServiceThemeResolver]

Then it displays Client IP and Browser information. And it makes the database and LDAP connections to verify the credentials. 

Looks like when I try to login with IE, CAS ignores the request and reloads the login page. 

Regards,

Emre

[lanf detroy]

Hello, with the exact same issue, we try with versions 6.2.6 / 6.2.7 / 6.3.1 but still the same problem. Did you solved it and how ? thank you

[Nicolás López]

DId anybody find a solution for this?

Thanks,

[lanfdetroy]

[Nicolás López]

It looks like we found the solution, check this post: https://groups.google.com/a/apereo.org/g/cas-user/c/u7wpwbxWT4o