cas cookie persisting

[GoogleCodeExporter]

What steps will reproduce the problem?
1. login to cas server using firefox 3.6.14
2. close the browser
3. restart browser and navigate to cas login page

The login page now indicates that I'm still logged in

What version of RubyCAS-Server are you using? How is it installed (rubygem,
manual install)? How are you running it (webrick, mongrel, passenger,
etc.)?

Trunk (sinatra, only setup 3 days ago), manual install, using passenger

If relevant, please paste your RubyCAS-Server config.yml file here.

Base config.yml, postgresql cas and authenticator DBs, single logout enabled. 
no other customizations.

Please provide any additional information below.

I've just noticed this behavior when i tried testing from remote location 
(work). Didn't notice this at home but will try again later and with multiple 
browsers.

Bit concerned that I haven't been able to find other issues here with this 
problem - if this is browser settings or network based (btw, not using proxies 
ATM), it is a very scary security hole.

Anyway, hopefully its a noob thing on my part (forgot some setting somewhere). 
any assistance greatly appreciated.

Original issue reported on code.google.com by osu...@gmail.com on 21 Dec 2010 at 8:43

[GoogleCodeExporter]

The Sinatra release is still very much a beta if not alpha, so no promises 
about it being problem-free.

The way it's supposed to work is if you have a 'maximum_session_lifetime' 
setting in your config, the auth session cookie will live the length of the 
configured lifetime regardless of whether you shut down your browser. If you 
don't have a maximum_session_lifetime value, the cookie should get wiped when 
you shut down your browser.

Here's the relevant code: 
https://github.com/gunark/rubycas-server/blob/master/lib/casserver/server.rb#L37
3-384

As far as I know this worked fine in the old Camping version, but maybe Sinatra 
handles its cookies differently. I'll have to look into it (or better yet, 
maybe someone else who has a moment right now could look into it for us).

Original comment by matt.zuk...@gmail.com on 21 Dec 2010 at 9:10

• Changed state: Accepted
• Added labels: Milestone-Sinatra, Security, Type-Defect

[GoogleCodeExporter]

no probs re release, I'm only playing/learning for now (still new to ruby as 
well) and happy to be part of the testing process. i'll start pushing for its 
use at work once we get it stable. + thanks to all involved for the sinatra 
version, trying to install the previous with the current mix of gem versions 
was a nightmare!

coming back to the problem at hand; had a bit of a look and there seems to be 
some confusion regarding the maximum_session_lifetime setting. The comments on 
the config file state that this setting is serverside processing only and not 
related to the client cookie:

https://github.com/gunark/rubycas-server/blob/master/resources/config.example.ym
l#L562-565

If it isn't specified in the config file, it defaults to 1 month:

https://github.com/gunark/rubycas-server/blob/master/lib/casserver/server.rb#L25

This all works fine if that setting is used for the purpose stated in the 
config file but it is, as you stated, getting used for cookie expiry so you 
always end up with a persistent cookie:

https://github.com/gunark/rubycas-server/blob/master/lib/casserver/server.rb#L37
3-384

If there is to be allowance for persistent cookies, it would need its own 
setting that defaults to nil. I would be very careful with that though; most 
users (of pretty much any software) don't log off properly. You can imagine 
what would happen with persistent cookies and internet cafes :O

Maybe have the cookie expiry setting (if it is configured) only apply if the 
user checks a 'keep me logged in on this computer' type of option at login?

Original comment by osu...@gmail.com on 22 Dec 2010 at 7:18

[GoogleCodeExporter]

did some changes to code to make it do what i think it was originally meant to 
do:

https://github.com/gunark/rubycas-server/issues#issue/31

btw, noticed the issue tracking there as well; which one should i be using?

also noticed some issues with ticket cleanup, i'll post that (and hopefully do 
some work on it with some guidance) once i know where to post

thanks

Original comment by osu...@gmail.com on 24 Dec 2010 at 8:24

[GoogleCodeExporter]

Was there any resolution to this issue?

Original comment by lif...@puppetlabs.com on 19 Mar 2012 at 6:06

[GoogleCodeExporter]

It slipped off my radar. Maybe someone can confirm whether this is still there?

Original comment by matt.zuk...@gmail.com on 19 Mar 2012 at 6:36