Problem with CAS 6.2.6

[Florent Vallée]

Hello,

I have a problem with CAS, I have access on any browser to the authentication page and it returns me the requested attributes.
However, when I want to connect to an authorized service, it only works on Firefox. On Edge, Chrome this constantly returns me to the authentication page. Anyone have any idea what the problem is?

Florent

[Ray Bon]

Florent,

Once you have authenticated, cas will return a TGC (ticket granting cookie) to the browser. As long as this cookie is active, you should not see the log in page.

Those browsers my have some security settings that affect the TGC. Use you developer tools to see if the TGC is being  deleted or not sent to cas. There are some cookie setting, https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties-Common.html#cookie-properties and https://apereo.github.io/cas/6.3.x/configuration/Configuration-Properties.html#ticket-granting-cookie.

Ray

On Mon, 2021-02-01 at 14:19 +0100, Florent Vallée wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Florent Vallée]

Hello,

I installed a CAS server in version 6.2.7. No worries for the connection and the connection to the different services.
We are only having a weird problem. On a computer, with Firefox no worries, on the other hand with Chrome, Edge, etc. and even on a smartphone with any browser, the CAS connection page loops permanently and does not connect to the service. It sometimes happens that by trying again 4-5 times in a row it will work but it is very random. If we simply connect to the login page we can connect well.
Can it be a problem with cookies management, redirects or other?
I can't find what options added in the cas.properties
Does anyone have any configuration examples?

 
Thank you for your help.

Florent

---

De: "Ray Bon" <rb...@uvic.ca>
À: "CAS Community" <cas-...@apereo.org>
Envoyé: Lundi 1 Février 2021 18:24:29
Objet: Re: [cas-user] Problem with CAS 6.2.6

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c65f808fc4b75ed31cf4582b3fe872b87b9894b1.camel%40uvic.ca.

[lanf detroy]

Same issue : https://groups.google.com/a/apereo.org/g/cas-user/c/2CVCGqJOhgE/m/OlV7o8UoAgAJ

Any idea ?

[Nicolás López]

Same issue here. Did anybody find a solution or workaround?

[Jérôme Rautureau]

Hello

Have you tried to set cas.tgc.pin-to-session to false ?

We had issues on tgc cookie witch were invalidated due to network changes. For instance, when we switch to a new http proxy or when we connect to a VPN.

Since the property set to false the tgc remains valid.

We are using the remember me feature.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/22230b33-e79d-4efc-83b6-97e4969e5ef9n%40apereo.org.

[Nicolás López]

We are goint to try it and then will share the results.

Thanks!

[Nicolás López]

Unfortunately it did not solve the issue. But it seems to be a very old problem https://bugs.chromium.org/p/chromium/issues/detail?id=533625

Anybody else experiencing the same behaviour?

[Andy Ng]

Hi all,

On our side we are using 6.2.x and in production, no such problem observed.

We did implemented a customization multiple customization regarding cookies, which are:

• Samesite = None
• 3rd party cookie 

Since I cannot reproduce the issue now, if anybody is free please help try the following verification method to identify the issue:

Note: Just throwing some idea out here, it might not work but I think worth some testing

For Samesite=None:

I made a post a while ago regarding this and the code needed for the fix, so not reposting again.

For some additional reading what is samesite=None, and code to fix the issue, see this: https://www.chromium.org/updates/same-site/incompatible-clients

For checking if this is indeed the issue, try the following (After enabled only visit trusted website, and rollback immediately is recommended):

1. Open Chrome:
2. Go to chrome://flags/
3. Search "samesite"
4. Set all 3 items to "Disabled"
5. Restarts
6. Try to login again, see if issue is solve
7. Rememeber to go back to  chrome://flags/ and restore setting after testing

For 3rd party cookie:

This is unlikely the issue but let's also try verify it:

1. Open Chrome
2. Go to Setting > Privacy and Security > Cookie and Site Data
3. Set All cookie
4. Restarts
5. Try to login again, see if issue is solve
   
6. Remember to rollback if want to 

If issue indeed is one of them, can work on implementing a patch to CAS to fix the issue. If not then, well I am currently out of idea...

Regards,

Andy

[Nicolás López]

Hi Andy thanks for your reply. This issue occurs even with the latest Chrome version (89) so I guess the reason is not the one related to the "samesite".

[Florent Vallée]

Hello, 

We tried the 2 solutions but none worked. We don't have any issues if we're connected on wifi, we only have the issue with 4G connection (smartphone with 4G or on computer with 4G shared connection)

We tried with version 6.1, 6.2 and 6.3.

Any other ideas ?

We are desperate.

Regards,

Florent

---

De: "Andy Ng" <lon...@gmail.com>
À: "CAS Community" <cas-...@apereo.org>
Cc: "nicol...@gmail.com" <nicol...@gmail.com>, "jrautureau" <jraut...@gmail.com>
Envoyé: Jeudi 25 Mars 2021 02:44:03

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1daeb831-124f-47bb-a8d7-2b7bbf7a0df7n%40apereo.org.

[Andy Ng]

Hi all,

I think I also am running out of idea, let see if the following would help identify the issue:

1. Would it be your firewall blocking other browser but allow only Firefox?
   • You said using 4G will work but Wifi will not work. Usually company firewall only block Wifi and not 4G, so it is a possible issue
2. CAS server and client need to have communication between them, good to take a look see if that is ok
3. Would there be a special proxy in firefox that make it a different browser than Chrome / Edge
   • it is normal for me to forget to turn of proxy for Firefox after use, maybe it is the same issue as well
4. If network is involved, Chrome does have a Network speed throttle feature, which might or might not be helpful:
   1. Open Chome, 
      
   2. Press F12,
      
   3. Click on "No throttling"
      
   4. Select Fast 3G or other type of throttling
      
   5. Well.... Sometime this type of throttling will produced differnet result than using just using normal network speed browser. If nothing happen then oh well
      

See if this would helps...

Cheers,

Andy

[Nicolás López]

If I use the 3G throttling in Chrome for log in I can reproduce the issue consistently...now what should I do with this information? :D

Using firefox, even with the GPRS profile it logs in without any problem.

With the throttling you can just set upload/download max speed and latency, it looks so wierd.

[Nicolás López]

Additional information: using the Chrome throttling, with a custom profile entering ANY value for the upload speed (even 100Mb) the issue can be reproduced.

Can anybody please test if it happens under this scenario?

[Nicolás López]

Finally after doing some research we updated the Tomcat from v9.0.33 to 9.0.43 and the issue seems to be solved. At least we tested with one particular user that was having this problem almost all the time, and with the Chrome throttling and we couldn't reproduce it again.

[Andy Ng]

Hello,

Nice to hear that the Chrome throttling idea leader to new discovery.

It seems like this post might describe your issue: https://support.f5.com/csp/article/K85361055

It specifically said upgrading to at least 9.0.34 or above can solve the issue, so that's excluding your previous 9.0.33 which is possible why it have the issue. 

Cheers,

Andy

[Nicolás López]

Hi Andy, your idea of using the Chrome  throttling, somehow led us to the idea of "could it be a Tomcat issue?". Then we tested with an embedded one we had and the issue did not occur, and it was a newer version. Next step was to update the older Tomcat and that's it! 

[Freedom K]

I am also facing the same issue.

I am using OKTA as authenticator so when I try to login and the browser redirects to okta login page, if I wait 2 minutes and then provide my credentials, then the JSESSION changes resulting in loosing the destination service and redirecting to cas default page. If I provide immediate the credentials, then there is no issue.

I am using cas 5.2.9 and Tomcat/8.5.35

Do you recommend to upgrade tomcat? Can I do it by keeping the same cas version?

[Nicolas Lopez]

Just my 2 cents: after installing Tomcat 9.0.43 and CAS 6.3.2 we did not face the issue anymore (it’s been 2 years so far…)