TGT hard timeout dose not work for rememberMe

[James Mackerel]

hi all,

I am trying to set tgt session timeout for my CAS server. I want to config CAS to act like this (for testing purpose):

1. if remember me is not checked, TGT will be killed if it is not used to grant ST in 10 seconds

2. if remember me is checked, TGT will be killed if it is not used to grant ST in 300 seconds

3. if a TGT grants a ST, its TTL will be refreshed to 3000 seconds

4. but no matter remember me is checked or not, a TGT will be killed 30 seconds after its creation

So this is properties I set:

cas.ticket.tgt.rememberMe.enabled=true
cas.ticket.tgt.rememberMe.timeToKillInSeconds=300

cas.ticket.tgt.maxTimeToLiveInSeconds=3000
cas.ticket.tgt.timeToKillInSeconds=10
cas.ticket.tgt.hardTimeout.timeToKillInSeconds=30

cas.tgc.rememberMeMaxAge=2000

But when I check the remember me box, TGT will never be killed if I use it to grant ST less than every 300 seconds.

It seems like hardTimout is not working when remember me is checked. Is this a bug?

I am using CAS 5.3.6 with redis ticket registry. Please help, thank you.

[Ray Bon]

James,

Although it is not on the list, https://apereo.github.io/cas/5.3.x/installation/Configuration-Properties.html#tgt-expiration-policy, I think remember me is checked first and it is 'reactivated' when TGT is used within its time frame (up to maxTimeToLiveInSeconds) as part of the sliding window.

1. yes

2. yes

3. no - TGT will be refreshed to 300s when remember me or 10s as per timeToKillInSeconds

4. hmm, this would depend on whether the check is for ticket validity or invalidity

Given that the first check is for 'never expire' and the last is for 'expire immediately', I think the check is for validity. That is, if TGT is valid, no more checks are made.

Ray

-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca