Prevent users bookmarking and sharing URLs containing CAS ticket
41 views
Skip to first unread message
Rob Pumphrey
Mar 4, 2022, 6:36:34 AM3/4/22
to CAS Community
Hi,
We have had a user complain about the behaviour of an application protected by CAS single sign on.
The user Alice has logged into the application via the CAS login page, then pressed back on their browser and bookmarked the URL with https://example.com/?ticket=ST-344-adfafff......
Alice has then shared that URL with another person, Bob.
Bob navigates to the link supplied by Alice and is now logged into the application as Alice. This is a surprise to Alice and Bob.
Is there any way to help prevent users bookmarking URLs containing the ticket?
Is there any way to prevent Bob logging in as Alice with the URL with Alice's ticket?
We currently are thinking that we have to educate users not to bookmark the URLs that have the ticket parameter, but that seems a bit weak.
Any suggestions or insight would be welcome.
Thanks in advance.
Rob
Carl Waldbieser
Mar 4, 2022, 6:56:40 AM3/4/22
to cas-user
The lifetime of a service ticket is usually set pretty short-- 15 or 20 seconds max. Alice needs to leak her ST within that timeframe for it to be valid, or else Bob should get an invalid ticket error at the client.
You may want to examine the ST lifetime and shorten it.
Thanks,
Carl Waldbieser
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b1a5bf3d-e7cc-4065-8f14-ece00e261af3n%40apereo.org.
Petr Fišer
Mar 4, 2022, 7:20:13 AM3/4/22
to cas-...@apereo.org
Hello,
I think you should look into TGT/ST expiration and validation policies https://apereo.github.io/cas/6.4.x/ticketing/Configuring-Ticket-Expiration-Policy.html .
For example, setting
cas.ticket.st.number-of-uses=1
will make CAS invalidate the service ticket after one validation attempt. Subsequent validations will fail.
This might be your server-side mitigation. Setting can be also defined per-service.
You need to take special care sometimes, as some JS applications, with their asynchronous requests, might make more than one validation attempt.
We even seen differences between browsers... FF and Safari were fine with one validation, IE needed a limit of 20 validations to work correctly. Root cause of this was in the particular application, so YMMV.
Cheers,
Fiisch
I think you should look into TGT/ST expiration and validation policies https://apereo.github.io/cas/6.4.x/ticketing/Configuring-Ticket-Expiration-Policy.html .
For example, setting
cas.ticket.st.number-of-uses=1
will make CAS invalidate the service ticket after one validation attempt. Subsequent validations will fail.
This might be your server-side mitigation. Setting can be also defined per-service.
You need to take special care sometimes, as some JS applications, with their asynchronous requests, might make more than one validation attempt.
We even seen differences between browsers... FF and Safari were fine with one validation, IE needed a limit of 20 validations to work correctly. Root cause of this was in the particular application, so YMMV.
Cheers,
Fiisch
Rob Pumphrey
Mar 4, 2022, 8:51:29 AM3/4/22
to CAS Community, petr.f...@gmail.com
Excellent, thank you. Our ST expiration lifetime is too long.
Reply all
Reply to author
Forward
0 new messages