Closed GoogleCodeExporter closed 9 years ago
I'm not sure I understand... What is the point of keeping the ticket in the
session?
When the user comes back from the CAS server with a service ticket, the ticket
is
always added to the URL.
So lets say the user tries to visit the CAS-protected page at
http://example.foo/protected
The CAS filter redirects them to the CAS server, they authenticate, and are
then sent
back to http://example.foo/protected?ticket=ST-12345
The ticket is now in params[:ticket] and your CAS client will read it and
validate
it. Once it has been validated, the ticket is no longer usable, so what's the
point
of keeping it in the session?
If your service is redirecting to another page prior to calling the CAS filter,
then
I think the answer would be to put the CAS filter first, so that the redirection
doesn't happen until after the ticket is read and validated. Other than that I
can't
think of another reason why you would want to do this.
Original comment by matt.zuk...@gmail.com
on 22 Feb 2008 at 4:30
Okay I think I understand now what this is about. This is probably related to
http://code.google.com/p/rubycas-client/issues/detail?id=19
I think in the move from 1.x to 2.x I inadvertently changed the behaviour of the
client. It now by default re-checks your authentication with the CAS server,
whereas
the old client kept the old ticket receipt and just re-used that.
This seems to be causing a lot of problems, so for RubyCAS-Server 2.0.1 I'll
revert
to the old behaviour.
Original comment by matt.zuk...@gmail.com
on 27 Feb 2008 at 8:14
FYI this has been fixed and will be released in 2.0.1. If you're using the Rails
plugin and have it installed via Subversion, you can just do an update now and
the
behaviour you're looking for will be restored.
Original comment by matt.zuk...@gmail.com
on 27 Feb 2008 at 11:18
Original issue reported on code.google.com by
bruno.ma...@gmail.com
on 22 Feb 2008 at 5:13Attachments: