Jan 14th, 2011, 08:41 AM
JA-SIG CAS server. Single Sign Out feature conflict with session-fixation protection
I run into problems with CAS Single Sign Out feature working with session-fixation protection feature.
Indeed, Spring Security ConcurrentSessionControlStrategy always invalidate the existing session (call of session.invalidate()) and create new one to prevent from session-fixation attacks.
So, after CAS login process, SingleSignOutHttpSessionListener.sessionDestroyed( ) is called causing "ST to original session association" to be removed from SingleSingOutFilter's SESSION_MAPPING_STORAGE member.
When a single sign out request is posted, the new session isn't invalidated because "ST to new session association" were never been registered in SingleSingOutFilter's SESSION_MAPPING_STORAGE member.
Spring Security 3.0.5.RELEASE
Spring Security CAS Client 3.0.5.RELEASE
Cas Client Core 3.1.10
Cas Server 3.4.4
Thanks for reply
Jan 14th, 2011, 11:33 AM
You are right that they will not work together. You might log a JIRA to request support for both. Naturally you can plugin your own implementations to correct the issue too.
Jan 17th, 2011, 02:37 AM
Thank you very much for your reply. I will create a JIRA issue.