Same service ticket getting generated multiple time for one authentication request

[Vikash Chandra Ansh]

Hi Team.

I have encountered a strange issue. I have integrated an application with CAS. During authentication sometime, same ST is getting generated multiple times. One ST one getting validated and rest are 401.

As per the logs from my integrated application, I can see same ST is generated 6 to 8 times and received validation request back on both of the CAS app servers. Ideally it should go on only one of the server for validation.and Regards

Here my CAS is hosted on two app servers and on top of it two Apache Web servers are there. It's confirmed that sticky session is also enabled.

Currently CAS version I am using is 5.2.9

Thanks 

Vikash Chandra 

[Ray Bon]

Vikash,

I assume you have a load balancer in front of the Apache Web servers that is setting the sticky sessions.

I also assume that multiple new ST are being created, not that your service application is sending the same ST multiple times.

The application sends the ST to Cas directly, not through the browser. So the application gets its own sticky session which is likely to be on a different Apache server than the one the user's browser is on.

Thus you need a ticket storage system that is shared by both Cas servers.

I found that ehCache did not replicate fast enough so I switched to hazelcast. Other cache systems may work, same with a database.

Ray

On Fri, 2022-08-12 at 17:14 +0530, Vikash Chandra Ansh wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

[Vikash Chandra Ansh]

Thanks Ray for your quick response.

But in my case sometime,same ST is getting forwarded to client side multiple time one with 302 response and rest other with 401.

Could you please guide why this is happening?

Yes i have NLB on top of my CAS Apache Web server on which sticky session is enabled. 

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5b9a50575d454a139aee5d1a7190442afe8e669b.camel%40uvic.ca.

[Ray Bon]

Vikash,

I would think it unlikely that cas is creating duplicate ST, since most of the ST is randomly generated.

Perhaps something between cas and the browser is re-sending?

Cas logs will show 'creating/validating service ticket' messages. Check logs of apache and the load balancer.

Ray