CAS protocol - refresh token?

I've revisited the server-side documentation over and over again CAS

and understand perfectly the data flow between client, server and application.

However, I am particularly interested in what happens in the following scenario:

  • User comes to app, enters credentials and gets CAS

    server permission
  • PHP gets the response, creates PHPSESSID

  • At some point, the administrator removes this user from the registry (be it a DBMS, LDAP, or something else)
  • User submits a request for a protected resource - gets the resource

So, as you can see, the main issue here is security . How and when is the session / access token checked / updated?

This question applies to CAS

and BeSimpleSsoAuthBundle

, but I believe it applies to other protocols of similar purpose.

Here's what I've tried:

  • Installed / configured CAS

    in a separate window
  • Installed / configured app on a different field
  • App used to authenticate via CAS

    - success
  • User tries to access a protected resource - success
  • Server crash Tomcat

    that startsCAS

  • Tried to access a protected resource in the app - success (?!)

If I missed something, I'll be more than happy to update my question :)


source to share

1 answer

Disclaimer: I am the Chair of CAS and Founder of CAS in the Cloud ( ).

This is the general design of CAS: you have clients and a server, which gives some advantages, but one of the main problems is the fact that once you authenticate in your application, you cannot communicate with the CAS server again.

In real life, except when you use remember-me, this is not a problem at all. After a few hours (in the worst case), SSO / web sessions are terminated and the remote user can no longer log in.



All Articles