JA-SIG CAS server. Single Sign Out feature conflict with session-fixation protection

**fdubois92** · Jan 14th, 2011, 08:41 AM

Hello,

I run into problems with CAS Single Sign Out feature working with session-fixation protection feature.

Indeed, Spring Security ConcurrentSessionControlStrategy always invalidate the existing session (call of session.invalidate()) and create new one to prevent from session-fixation attacks.

So, after CAS login process, SingleSignOutHttpSessionListener.sessionDestroyed( ) is called causing "ST to original session association" to be removed from SingleSingOutFilter's SESSION_MAPPING_STORAGE member.

When a single sign out request is posted, the new session isn't invalidated because "ST to new session association" were never been registered in SingleSingOutFilter's SESSION_MAPPING_STORAGE member.

Versions :
Spring Security 3.0.5.RELEASE
Spring Security CAS Client 3.0.5.RELEASE
Cas Client Core 3.1.10
Cas Server 3.4.4

Thanks for reply
Fabrice DUBOIS

**Rob Winch** · Jan 14th, 2011, 11:33 AM

You are right that they will not work together. You might log a JIRA to request support for both. Naturally you can plugin your own implementations to correct the issue too.

**fdubois92** · Jan 17th, 2011, 02:37 AM

Thank you very much for your reply. I will create a JIRA issue.

Thread: JA-SIG CAS server. Single Sign Out feature conflict with session-fixation protection

Thread Tools

Display

JA-SIG CAS server. Single Sign Out feature conflict with session-fixation protection

Posting Permissions