Announcement Announcement Module
Collapse
No announcement yet.
JA-SIG CAS server. Single Sign Out feature conflict with session-fixation protection Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • JA-SIG CAS server. Single Sign Out feature conflict with session-fixation protection

    Hello,

    I run into problems with CAS Single Sign Out feature working with session-fixation protection feature.

    Indeed, Spring Security ConcurrentSessionControlStrategy always invalidate the existing session (call of session.invalidate()) and create new one to prevent from session-fixation attacks.

    So, after CAS login process, SingleSignOutHttpSessionListener.sessionDestroyed( ) is called causing "ST to original session association" to be removed from SingleSingOutFilter's SESSION_MAPPING_STORAGE member.

    When a single sign out request is posted, the new session isn't invalidated because "ST to new session association" were never been registered in SingleSingOutFilter's SESSION_MAPPING_STORAGE member.

    Versions :
    Spring Security 3.0.5.RELEASE
    Spring Security CAS Client 3.0.5.RELEASE
    Cas Client Core 3.1.10
    Cas Server 3.4.4

    Thanks for reply
    Fabrice DUBOIS

  • #2
    You are right that they will not work together. You might log a JIRA to request support for both. Naturally you can plugin your own implementations to correct the issue too.

    Comment


    • #3
      Thank you very much for your reply. I will create a JIRA issue.

      Comment

      Working...
      X