CAS protocol - refresh token?
I've revisited the server-side documentation over and over again CAS
and understand perfectly the data flow between client, server and application.
However, I am particularly interested in what happens in the following scenario:
- User comes to app, enters credentials and gets
CAS
server permission - PHP gets the response, creates
PHPSESSID
- At some point, the administrator removes this user from the registry (be it a DBMS, LDAP, or something else)
- User submits a request for a protected resource - gets the resource
So, as you can see, the main issue here is security . How and when is the session / access token checked / updated?
This question applies to CAS
and BeSimpleSsoAuthBundle
, but I believe it applies to other protocols of similar purpose.
Here's what I've tried:
- Installed / configured
CAS
in a separate window - Installed / configured app on a different field
- App used to authenticate via
CAS
- success - User tries to access a protected resource - success
- Server crash
Tomcat
that startsCAS
- Tried to access a protected resource in the app - success (?!)
If I missed something, I'll be more than happy to update my question :)
source to share
Disclaimer: I am the Chair of CAS and Founder of CAS in the Cloud ( https://www.casinthecloud.com ).
This is the general design of CAS: you have clients and a server, which gives some advantages, but one of the main problems is the fact that once you authenticate in your application, you cannot communicate with the CAS server again.
In real life, except when you use remember-me, this is not a problem at all. After a few hours (in the worst case), SSO / web sessions are terminated and the remote user can no longer log in.
source to share