> Just wondering if there could be a separate URL for mismatched
> tickets?
>
> E.G. Some user tampers with the cookie, we'd like to know about it, so
> we could put some logging on a special endpoint?
Sounds reasonable - I've added it to the to do/wishlist on <https://neon1.net/mod_auth_pubtkt/>. Shouldn't be too hard to add the next time I touch the Apache module source code :)
In the meantime, what you can also do is parse/verify the ticket yourself in your login server code to detect tickets with invalid signatures (but I see that you've implemented a matching Ruby library function, so I guess you're already doing that :).
- Manuel