Announcement Announcement Module
Collapse
No announcement yet.
CAS 3.5.1 CASTGC cookie Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • CAS 3.5.1 CASTGC cookie

    Hi,

    i have deployed CAS 3.5.1 in the server. My observation showed me a strange occurence:

    1) I can see 2 CASTGC cookies with same name and value getting added
    in the browser with the only difference in the cookiepath - one set
    with /cas-server-webapp-3.5.1 and the other /cas-server-webapp-3.5.1/
    (please note the / appended). Debugging the code shows that the
    CAASTGC with the / appended is the only one getting added. I cannot
    figure how the other gets added.

    2) Calling logout shows me that there is a CASTGC cookie deleted in
    the browser ( monitoring through cookie manager addon) but immediately
    i see the cookie with /cas-server-webapp-3.5.1(one with no / appended)
    path still unremoved.

    What can be the root cause. i am unable to find how this gets added
    again. Please let me know how to troubleshoot and close this issue.

    Thanks,
    Mckenzie

  • #2
    Hi,

    I saw your question about "CASTGC cookie deletion" on the CAS mailing list. Didn't you get relevant help ?

    It's the first time I hear about 2 CASTGC cookies created : it's very strange. Did you try activating DEBUG logs on org.springframework.webflow to see what's going on ?

    Best regards,
    Jérôme

    Comment


    • #3
      Hi Jerome,
      I have still not able to get a solution for that issue. But further analysis on this , i have landed upon the above mentioned behaviour which has thrown some light on the root cause. As mentioned there is some way a duplicate cookie gets created. I have enabled and added the debug logs as per your suggestion. I believe that this duplicate cookie can be the cause of the issue.

      I can see that login creates and sets only 1 CASTGC cookie in browser. On call of logout it deletes the one it has created. But the duplicate one (with path set as /cas-server-webapp-3.5.1) still exists in the browser.

      To ensure if there is no collision of any of our code, i redeployed CAS 3.5.1 war in a tomcat server and tried replicating the behaviour . I can see the behaviour in this as well.

      Kindly suggest way ahead.I have added the logs in the post for your reference.Sorry , the file could not be uploaded due to firewall issues


      2013-01-07 11:11:11,098 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /cas-server-webapp-3.5.1/>
      2013-01-07 11:11:11,306 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not generate service.>
      2013-01-07 11:11:11,319 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not generate service.>
      2013-01-07 11:11:11,339 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - <Generated login ticket LT-1-k6RunsWnst0j0raMC7a0ZR1Fdo3RLe>
      2013-01-07 11:11:17,329 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not generate service.>
      2013-01-07 11:11:17,329 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not generate service.>
      2013-01-07 11:11:27,034 INFO [org.jasig.cas.authentication.AuthenticationManager Impl] - <org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenti cationHandler successfully authenticated [username: User]>
      2013-01-07 11:11:27,035 DEBUG [org.jasig.cas.authentication.principal.UsernamePas swordCredentialsToPrincipalResolver] - <Attempting to resolve a principal...>
      2013-01-07 11:11:27,035 DEBUG [org.jasig.cas.authentication.principal.UsernamePas swordCredentialsToPrincipalResolver] - <Creating SimplePrincipal for [User]>
      2013-01-07 11:11:27,037 DEBUG [org.jasig.services.persondir.support.jdbc.SingleRo wJdbcPersonAttributeDao] - <Created seed map='{username=[User]}' for uid='User'>
      2013-01-07 11:11:27,037 DEBUG [org.jasig.services.persondir.support.jdbc.SingleRo wJdbcPersonAttributeDao] - <Adding attribute 'username' with value '[User]' to query builder 'null'>
      2013-01-07 11:11:27,038 DEBUG [org.jasig.services.persondir.support.jdbc.SingleRo wJdbcPersonAttributeDao] - <Generated query builder 'sql=[username = ?] args=[User]' from query Map {username=[User]}.>
      2013-01-07 11:11:27,385 DEBUG [org.jasig.services.persondir.support.jdbc.SingleRo wJdbcPersonAttributeDao] - <Executed 'select username, email, firstname, lastname from tablename where {0}' with arguments [User] and got results [{username=User, email=email, firstname=User, lastname=lastname}]>
      2013-01-07 11:11:27,395 INFO [org.jasig.cas.authentication.AuthenticationManager Impl] - <Resolved principal User>
      2013-01-07 11:11:27,396 INFO [org.jasig.cas.authentication.AuthenticationManager Impl] - <Principal found: User>
      2013-01-07 11:11:27,396 DEBUG [org.jasig.cas.authentication.AuthenticationManager Impl] - <Attribute map for User: {username=User, email=[email protected], lastname=Anthony, firstname=User}>
      2013-01-07 11:11:27,408 INFO [com.github.inspektr.audit.support.Slf4jLoggingAudi tTrailManager] - <Audit trail record BEGIN
      ================================================== ===========
      WHO: [username: User]
      WHAT: supplied credentials: [username: User]
      ACTION: AUTHENTICATION_SUCCESS
      APPLICATION: CAS
      WHEN: Mon Jan 07 11:11:27 IST 2013
      CLIENT IP ADDRESS: 10.66.237.34
      SERVER IP ADDRESS: 10.219.66.224
      ================================================== ===========

      >
      2013-01-07 11:11:27,419 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistr y] - <Added ticket [TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org] to registry.>
      2013-01-07 11:11:27,419 INFO [com.github.inspektr.audit.support.Slf4jLoggingAudi tTrailManager] - <Audit trail record BEGIN
      ================================================== ===========
      WHO: [username: User]
      WHAT: TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org
      ACTION: TICKET_GRANTING_TICKET_CREATED
      APPLICATION: CAS
      WHEN: Mon Jan 07 11:11:27 IST 2013
      CLIENT IP ADDRESS: 10.66.237.34
      SERVER IP ADDRESS: 10.219.66.224
      ================================================== ===========

      >
      2013-01-07 11:11:27,420 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGe nerator] - <Removed cookie with name [CASPRIVACY]>
      2013-01-07 11:11:27,420 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGe nerator] - <Added cookie with name [CASTGC] and value [TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org]>
      2013-01-07 11:11:27,440 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not generate service.>
      2013-01-07 11:11:27,440 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not generate service.>
      2013-01-07 11:11:27,445 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Terminate web session 23089437C56F0739F99E422DA649EF05.node1 in 2 seconds>


      After calling Logout

      2013-01-07 11:11:32,293 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered services.>
      2013-01-07 11:11:32,293 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding registered service ^(https?|imaps?)://.*>
      2013-01-07 11:11:32,294 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 1 services.>
      2013-01-07 11:13:02,282 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Removing ticket [TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org] from registry.>
      2013-01-07 11:13:02,283 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistr y] - <Attempting to retrieve ticket [TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org]>
      2013-01-07 11:13:02,283 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistr y] - <Ticket [TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org] found in registry.>
      2013-01-07 11:13:02,283 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Ticket found. Expiring and then deleting.>
      2013-01-07 11:13:02,283 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistr y] - <Removing ticket [TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org] from registry>
      2013-01-07 11:13:02,283 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistr y] - <Attempting to retrieve ticket [TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org]>
      2013-01-07 11:13:02,284 INFO [com.github.inspektr.audit.support.Slf4jLoggingAudi tTrailManager] - <Audit trail record BEGIN
      ================================================== ===========
      WHO: audit:unknown
      WHAT: TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org
      ACTION: TICKET_GRANTING_TICKET_DESTROYED
      APPLICATION: CAS
      WHEN: Mon Jan 07 11:13:02 IST 2013
      CLIENT IP ADDRESS: 10.66.237.34
      SERVER IP ADDRESS: 10.219.66.224
      ================================================== ===========

      >
      2013-01-07 11:13:02,284 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGe nerator] - <Removed cookie with name [CASTGC]>
      2013-01-07 11:13:02,285 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGe nerator] - <Removed cookie with name [CASPRIVACY]>
      2013-01-07 11:13:02,319 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not generate service.>
      2013-01-07 11:13:02,320 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not generate service.>



      Thanks,
      Mckenzie

      Comment


      • #4
        Let's continue this discussion on CAS mailing list : https://lists.wisc.edu/read/messages?id=24938374...

        Comment


        • #5
          Hello mckenzie,
          Im having this same problem. I successfully deployed our jasig sso in my dev environment in Tomcat7 and works perfectly with single signout. However, after i deployed the same war to our staging environment which uses Resin 4.0 as the server. I am experiencing this perpetual cookie issue in my Resin Server/container. I enabled debug log level and i noticed this:
          ...
          "
          2013-06-04 16:11:24,354 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Error getting service from flow state.>
          java.lang.IllegalStateException: No active FlowSession to access; this FlowExecution has ended
          at org.springframework.webflow.engine.impl.FlowExecut ionImpl.getActiveSession(FlowExecutionImpl.java:19 1)
          at org.springframework.webflow.engine.impl.RequestCon trolContextImpl.getFlowScope(RequestControlContext Impl.java:134)
          "
          ...
          I followed up on the CAS MailingList and noticed you mentioned some custom settings in TOmcat was the problem. Could you please provide some clarification on what exactly it was so i see how i can solve it in Resin

          My version of cas-server is 3.5.2

          Thanks

          Comment


          • #6
            Hi,

            I'm pretty confident that this is not the root cause of your problem.
            That said, the easiest way to be sure is to comment the TerminateWebSessionListener in the cas-servlet.xml file and to re-test.
            Best regards,
            Jérôme

            Comment


            • #7
              Well, I am unable to understand about this thread. Could anyone give me more information about it??

              Comment


              • #8
                Hi Jerome,
                Sorry for not getting back earlier.
                I have been conducting further investigations on this.
                Something i did not mention earlier on is that i have a load balancer in place. And this behaviour is exhibited when requests pass through the load balancer.

                Image1
                Cookies after login.
                Attachment

                Image2
                Cookies after logout
                Attachment



                Having done what you suggested, i.e. commenting out the TerminateWebSessionListener in the cas-servlet, this is the behaviour
                i noticed.
                Image3.
                Disabled teminatewebsessionlistener
                Attachment


                Although i wasn't consistent. At certain times it just went back to behave as in image2

                I will be very grateful for any help given.

                I am using resin 4.036,
                I have a load balancer at 8080 and 9433 for https.
                This serves HA for three app instances app-0, app-1, app-2
                To do this i disabled two app instances. As such the setup was LB 8080 and 9443, app-0 on 8081 and 9444 for https
                the LB simply forwards to app-0


                Thanks
                Attached Files

                Comment

                Working...
                X