search

rubycas / rubycas-server

Provides single sign-on authentication for web applications, implementing the server-end of Jasig's CAS protocol.
http://rubycas.github.com
Other
628 stars 270 forks source link

tgt cookie lifetime should > maximum_session_lifetime #178

Open anvyzhang opened 11 years ago

anvyzhang commented 11 years ago

If maximum_session_lifetime was set, then tgt cookie should have a life time more than maximum_session_lifetime

mitfik commented 11 years ago

Hi,

As I understand we do not set any expiration time which mean that by default it should be "At end of session". So I do not see any reason why we would like to set any. Could you provide your scenario where you need that? Or explain why you want to add that.

Thanks

anvyzhang commented 11 years ago

rubycas-server/lib/casserver/cas.rb:152

if settings.config[:maximum_session_lifetime] && Time.now - tgt.created_on > settings.config[:maximum_session_lifetime]

tgt stores in cookie if maximum_session_lifetime was set and cookie tgt lifetime shorter than maximum_session_lifetime then error No ticket granting ticket given. occurred. but it was not supposed to be like this since you set maximum_session_lifetime

anvyzhang commented 11 years ago

then what?

mitfik commented 11 years ago

then we will create few tests to confirm your error/scenario and then we will apply the fix. We need to make sure that it will not break anything. I will try to do it as soon as possible I will keep posting you about progress.