where is CAS TGC cookie stored in brower?

Yan Zhou

unread,

Oct 21, 2016, 3:42:52 PM10/21/16

to CAS Community

Hello,

It was said that the TGT cookie (TGC) is hidden, so that we won't see it.

I am curious how browser can send such hidden cookie to CAS, when user goes to apps? If browser can see it, there should be a way for us to see it.

The reason I am asking is because I noticed that Ajax XhrRequest does not seem to send TGC cookie in some circumstances, so I need to investigate.

Thx!

Andrew Morgan

unread,

Oct 21, 2016, 5:47:39 PM10/21/16

to Yan Zhou, CAS Community

The TGC is set by the CAS server using the domain of the CAS server. For
example, my CAS server is at https://login.oregonstate.edu/cas/ and the
TGC has a domain of "login.oregonstate.edu" and a path of "/cas". The
browser will only send the cookie to the CAS, not the CAS client.

The TGC persists the SSO session. It is not used by client applications.
They receive a Service Ticket (ST) appended to the URL and validate the ST
by calling CAS's /serviceValidate endpoint.

A more complete description of this can be found at:

https://apereo.github.io/cas/4.2.x/protocol/CAS-Protocol.html

Thanks,
Andy

Yan Zhou

unread,

Oct 21, 2016, 6:40:26 PM10/21/16

to Andrew Morgan, CAS Community

OK, thx for explanation.

I cannot see any TGC cookie in my browser. Why is that? If it is not there, how does Browser send to CAS server?

Yan

Andrew Morgan

unread,

Oct 21, 2016, 6:48:16 PM10/21/16

to Yan Zhou, CAS Community

On Fri, 21 Oct 2016, Yan Zhou wrote:

> OK, thx for explanation.
>
> I cannot see any TGC cookie in my browser. Why is that? If it is not
> there, how does Browser send to CAS server?

You could try running something like Firefox's Live HTTP Headers add-on to
view the headers sent and received when you interact with CAS.

Andy

Paramvir Singh Karwal

unread,

Dec 4, 2018, 6:22:58 AM12/4/18

to CAS Community, yana...@gmail.com, mor...@orst.edu

Hi Andy,

My question is regarding the validation of session cookie, though first time, the service ticket is validated by calling CAS's endpoint, but in subsequent calls from the browser to application only session cookie is sent, how does application validates session cookie, does application server makes a record of the session cookie which can be checked with the incoming calls containing session cookie. As depicted in the diagram there is no call to CAS's from application server to validate the cookie this time.

Ray Bon

unread,

Dec 4, 2018, 12:08:53 PM12/4/18

to cas-...@apereo.org, yana...@gmail.com, mor...@orst.edu

Paramvir,

I assume that by session cookie you mean your client application's session cookie and not CAS's TGC.

The client application is responsible for managing its own session. Once the user has been authenticated (service ticket validated), CAS is no longer required.

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

Paramvir Singh Karwal

unread,

Dec 4, 2018, 1:18:05 PM12/4/18

to cas-...@apereo.org

Thanks Ray,
That clears my confusion.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1543943315.2944.37.camel%40uvic.ca.

Reply all

Reply to author

Forward