Hi,
That doesn't sound correct. Been a while since I used this project but the udata and all the other fields are encrypted to make the ticket, so modifying anything should invalidate the it.
How do you generate the cookie / tickets? Here is how did when I used the project (*) ...
On line 52 you can see sig is the encrypted version of the ticket, so you should not be able to modify anything in there. The apache module should do the verification to ensure this.
(*) still think this is a create lightweight way to do SSO, just no longer need it!
Thanks,
Matt