where is TGT stored on client side?

[Yan Zhou]

Hi there,

The CAS protocol says that TGT is stored as a cookie on client browser. But, when I look at cookie on browser (Chrome), I do not see TGT, the only one there is CASSESSIONID, which is how CAS tracks user place in the login flow.

Where is TGT stored on client? How can I see it?

Everything works fine on server side, I do see TGT, etc., I just cannot find where it is stored on client.

Thanks,

Yan

[Misagh Moayyed]

You cannot see it.

 

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/15308aa1-497b-4c19-82da-a7d88b6a4b32%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[Yan Zhou]

OK, can you elaborate a bit?  I am curious how this is done.

I see SET-COOKIE on TGC xxxx when authentication is complete,  but I do not see browser sends the TGT cookie along with subsequent request.  

So, I wonder how this works.

Thx,

Yan

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/00dd01d194c3%24060ddb40%24122991c0%24%40unicon.net.

[Misagh Moayyed]

The TGC is encrypted and signed. You wouldn’t know what’s inside it and wouldn’t have access to it. (The protocol does not say that TGC is the same as TGT. It says it is a representation of the TGT identifying the sso session).

 

What kind of subsequent requests?

[Yan Zhou]

if user goes to another app using CAS, browser will need to send TGT ticket (CAS Protocol diagram shows it is getting that from cookie).

If TGT is not in cookie, where does the browser getting it from when user goes to another app. that uses CAS (after he login in successfully into the first app.)?

Yan

[Marcos]

Hi,

I'm having this same problem:

I do login by Ajax against the SSO. I receive the cookie and the TGT, and I validate it against the SSO from my application server.
Then, I change from my .com domain to .es, and I lose the session on my server and the TGT.
I'm thinking to make my SSO server to store the TGT in session and make a method to to retrieve it.

[Waldbieser, Carl]

I am having trouble following this. It seems to be totally opposite of why I would want to use CAS.
To me, the point of CAS is that I want it to be *the* central login page. I don't want to hide it behind my own login page.

The TGT cookie is in the user's browser, but it is supposed to be located in the domain of the *CAS* server. When any service protected by CAS needs to authenticate, it redirects the user's browser to the CAS server, and that cookie is available *to the CAS service only*. It is not meant to be shuffled around to other services, even if they are ones I maintain or control.

Does that make sense? Can you explain why you are trying to use ajax to log into CAS?

Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College

>> *From:* Yan Zhou [mailto:yana...@gmail.com]
>> *Sent:* Tuesday, April 12, 2016 7:02 AM
>> *To:* Misagh Moayyed <mmoa...@unicon.net>
>> *Cc:* CAS Community <cas-...@apereo.org>
>> *Subject:* Re: [cas-user] where is TGT stored on client side?

>>
>>
>>
>> OK, can you elaborate a bit? I am curious how this is done.
>>
>>
>>
>> I see SET-COOKIE on TGC xxxx when authentication is complete, but I do
>> not see browser sends the TGT cookie along with subsequent request.
>>
>>
>>
>> So, I wonder how this works.
>>
>>
>>
>> Thx,
>>
>> Yan
>>
>>
>>
>> On Tue, Apr 12, 2016 at 9:55 AM, Misagh Moayyed <mmoa...@unicon.net>
>> wrote:
>>
>> You cannot see it.
>>
>>
>>

>> *From:* cas-...@apereo.org [mailto:cas-...@apereo.org] *On Behalf Of *Yan
>> Zhou
>> *Sent:* Tuesday, April 12, 2016 6:46 AM
>> *To:* CAS Community <cas-...@apereo.org>
>> *Subject:* [cas-user] where is TGT stored on client side?

>>
>>
>>
>> Hi there,
>>
>>
>>
>> The CAS protocol says that TGT is stored as a cookie on client browser.
>> But, when I look at cookie on browser (Chrome), I do not see TGT, the only
>> one there is CASSESSIONID, which is how CAS tracks user place in the login
>> flow.
>>
>>
>>
>> Where is TGT stored on client? How can I see it?
>>
>>
>>
>> Everything works fine on server side, I do see TGT, etc., I just cannot
>> find where it is stored on client.
>>
>>
>>
>> Thanks,
>>
>> Yan
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org.
>> Visit this group at
>> https://groups.google.com/a/apereo.org/group/cas-user/.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/15308aa1-497b-4c19-82da-a7d88b6a4b32%40apereo.org

>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/15308aa1-497b-4c19-82da-a7d88b6a4b32%40apereo.org?utm_medium=email&utm_source=footer>
>> .

>> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org.
>> Visit this group at
>> https://groups.google.com/a/apereo.org/group/cas-user/.
>>
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/00dd01d194c3%24060ddb40%24122991c0%24%40unicon.net

>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/00dd01d194c3%24060ddb40%24122991c0%24%40unicon.net?utm_medium=email&utm_source=footer>
>> .

>>
>>
>> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>>
>>
>>
>

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To post to this group, send email to cas-...@apereo.org.

Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/40e19df3-d4c7-40b5-90a7-c34994e0f6e4%40apereo.org.

[Marcos]

Hi Carl,

Thank you for your response. The reason why I'm not using the CAS login page is that my users want to keep the current login page, so I'm trying the Ajax auth.

Marcos.

[Waldbieser, Carl]

Marcos,

That begs the question, what benefit do you hope to get by using CAS in this way? Is it just for the single-sign on aspect? In that case, have you considered just using LDAP authentication, which would be a better fit for this scenario?

If it is just a question of the UI, it is definitely possible to customize the CAS login UI to look like an existing login page.
You can also make the page appear different for a particular service provider.

Thanks,
Carl

> email to cas-user+u...@apereo.org <javascript:>.
> To post to this group, send email to cas-...@apereo.org <javascript:>.

> Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
>
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/40e19df3-d4c7-40b5-90a7-c34994e0f6e4%40apereo.org.
>
> For more options, visit https://groups.google.com/a/apereo.org/d/optout.
>

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0ce70337-9739-4e6c-9846-be5fb274784d%40apereo.org.