CAS protocol - refresh token?

Question

CAS protocol - refresh token?

I've revisited the server-side documentation over and over again CAS

and understand perfectly the data flow between client, server and application.

However, I am particularly interested in what happens in the following scenario:

User comes to app, enters credentials and gets CAS

server permission
PHP gets the response, creates PHPSESSID
At some point, the administrator removes this user from the registry (be it a DBMS, LDAP, or something else)
User submits a request for a protected resource - gets the resource

So, as you can see, the main issue here is security . How and when is the session / access token checked / updated?

This question applies to CAS

and BeSimpleSsoAuthBundle

, but I believe it applies to other protocols of similar purpose.

Here's what I've tried:

Installed / configured CAS

in a separate window
Installed / configured app on a different field
App used to authenticate via CAS

- success
User tries to access a protected resource - success
Server crash Tomcat

that startsCAS
Tried to access a protected resource in the app - success (?!)

If I missed something, I'll be more than happy to update my question :)

+3

authentication php symfony cas

Jovan Perovic 23 Sep 14 at 22:39

source to share

1 answer

jleleu · Accepted Answer · 2014-09-26T06:20:51+0000

Disclaimer: I am the Chair of CAS and Founder of CAS in the Cloud ( https://www.casinthecloud.com ).

This is the general design of CAS: you have clients and a server, which gives some advantages, but one of the main problems is the fact that once you authenticate in your application, you cannot communicate with the CAS server again.

In real life, except when you use remember-me, this is not a problem at all. After a few hours (in the worst case), SSO / web sessions are terminated and the remote user can no longer log in.

CAS protocol - refresh token?

More articles: