Cookies disabled - client gets caught in infinite redirection loop

[GoogleCodeExporter]

When the user's browser has cookies disabled, the client may get caught in
an infinite loop between the server and client, as the server redirects
back to the client, the client back to the server, etc., etc. This is
likely something that will have to be fixed in RubyCAS-Server (the server
should detect that cookies are disabled and warn the user that SSO won't
work), but the client should also handle this case more gracefully.

See http://groups.google.com/group/rubycas-server?hl=en

Original issue reported on code.google.com by matt.zuk...@gmail.com on 17 Mar 2008 at 5:52

[GoogleCodeExporter]

Original comment by matt.zuk...@gmail.com on 25 Mar 2008 at 11:53

• Added labels: Priority-High
• Removed labels: Priority-Medium

[GoogleCodeExporter]

Hey Matt,

I am currently working on this. I just wanted to let you know so we don't 
duplicate work

Original comment by wmern...@gmail.com on 6 Oct 2008 at 11:56

[GoogleCodeExporter]

Hi Matt,

I attached a diff of a cookie checker. It checks to see if cookies are enabled. 
If
not it displays a page saying to enable cookies and try again. I don't think the
server should check for enabled cookies. You may have a client that does not use
cookies but needs to Authenticate once (file download maybe).

Also I think the cookie checking should be optional via an env variable in the
rubycas-client. There may be a case where they do not want it. Let me know what 
you
think.

Will

Original comment by wmern...@gmail.com on 7 Oct 2008 at 5:33

Attachments:

• filter.rb.diff

[GoogleCodeExporter]

Thanks Will, I'll take a look at the patch this week. I think you're right about
cookies only being necessary for certain operations... Maybe a better way to go 
about
it would be to merely show a warning message saying something like "Your cookies
appear to be disabled. This authentication system may not work correctly until 
you
re-enable cookies in your browser settings." This wouldn't prevent the user from
authenticating, but it would at least let them know that things might not work 
as
expected.

Original comment by matt.zuk...@gmail.com on 8 Oct 2008 at 2:15

[GoogleCodeExporter]

I had thought about that. But I am not sure how I could do it. My first thought 
was a
pop-up but you need JavaScript for that and if cookies are disabled JS probably 
is too. 

Right now it simple renders a page with the notification. Even if I put a link 
to
continue that would not work because it would fail auth again (since no cookies 
have
been set, it would try to re-auth)

I think that the notice would be possible from be on the RubyCas-Server side if 
that
was doing a check for cookies. 

From the client side I am not sure how we could achieve this.

Original comment by wmern...@gmail.com on 9 Oct 2008 at 12:56

[GoogleCodeExporter]

I was just wondering if this ever got into the code? Or if there is anything 
else I
need to do for it.

Will

Original comment by wmern...@gmail.com on 2 Dec 2008 at 12:32

[GoogleCodeExporter]

I did look in to it, but can't remember where I ended up. I'm super busy right 
now
but I'll try to have another a look before the new year. Feel free to continue 
to
hound me about this. It's important that we get this fixed.

Original comment by matt.zuk...@gmail.com on 3 Dec 2008 at 6:03

[GoogleCodeExporter]

No worries.  

Original comment by wmern...@gmail.com on 9 Dec 2008 at 3:42