CAS 3.5.1 CASTGC cookie

[mckenzie]

Hi,

i have deployed CAS 3.5.1 in the server. My observation showed me a strange occurence:

1) I can see 2 CASTGC cookies with same name and value getting added
in the browser with the only difference in the cookiepath - one set
with /cas-server-webapp-3.5.1 and the other /cas-server-webapp-3.5.1/
(please note the / appended). Debugging the code shows that the
CAASTGC with the / appended is the only one getting added. I cannot
figure how the other gets added.

2) Calling logout shows me that there is a CASTGC cookie deleted in
the browser ( monitoring through cookie manager addon) but immediately
i see the cookie with /cas-server-webapp-3.5.1(one with no / appended)
path still unremoved.

What can be the root cause. i am unable to find how this gets added
again. Please let me know how to troubleshoot and close this issue.

Thanks,
Mckenzie

[jleleu]

Hi,

I saw your question about "CASTGC cookie deletion" on the CAS mailing list. Didn't you get relevant help ?

It's the first time I hear about 2 CASTGC cookies created : it's very strange. Did you try activating DEBUG logs on org.springframework.webflow to see what's going on ?

Best regards,
Jérôme

[mckenzie]

Hi Jerome,
I have still not able to get a solution for that issue. But further analysis on this , i have landed upon the above mentioned behaviour which has thrown some light on the root cause. As mentioned there is some way a duplicate cookie gets created. I have enabled and added the debug logs as per your suggestion. I believe that this duplicate cookie can be the cause of the issue.

I can see that login creates and sets only 1 CASTGC cookie in browser. On call of logout it deletes the one it has created. But the duplicate one (with path set as /cas-server-webapp-3.5.1) still exists in the browser.

To ensure if there is no collision of any of our code, i redeployed CAS 3.5.1 war in a tomcat server and tried replicating the behaviour . I can see the behaviour in this as well.

Kindly suggest way ahead.I have added the logs in the post for your reference.Sorry , the file could not be uploaded due to firewall issues


2013-01-07 11:11:11,098 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for cookies to: /cas-server-webapp-3.5.1/>
2013-01-07 11:11:11,306 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not generate service.>
2013-01-07 11:11:11,319 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not generate service.>
2013-01-07 11:11:11,339 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - <Generated login ticket LT-1-k6RunsWnst0j0raMC7a0ZR1Fdo3RLe>
2013-01-07 11:11:17,329 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not generate service.>
2013-01-07 11:11:17,329 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not generate service.>
2013-01-07 11:11:27,034 INFO [org.jasig.cas.authentication.AuthenticationManager Impl] - <org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenti cationHandler successfully authenticated [username: User]>
2013-01-07 11:11:27,035 DEBUG [org.jasig.cas.authentication.principal.UsernamePas swordCredentialsToPrincipalResolver] - <Attempting to resolve a principal...>
2013-01-07 11:11:27,035 DEBUG [org.jasig.cas.authentication.principal.UsernamePas swordCredentialsToPrincipalResolver] - <Creating SimplePrincipal for [User]>
2013-01-07 11:11:27,037 DEBUG [org.jasig.services.persondir.support.jdbc.SingleRo wJdbcPersonAttributeDao] - <Created seed map='{username=[User]}' for uid='User'>
2013-01-07 11:11:27,037 DEBUG [org.jasig.services.persondir.support.jdbc.SingleRo wJdbcPersonAttributeDao] - <Adding attribute 'username' with value '[User]' to query builder 'null'>
2013-01-07 11:11:27,038 DEBUG [org.jasig.services.persondir.support.jdbc.SingleRo wJdbcPersonAttributeDao] - <Generated query builder 'sql=[username = ?] args=[User]' from query Map {username=[User]}.>
2013-01-07 11:11:27,385 DEBUG [org.jasig.services.persondir.support.jdbc.SingleRo wJdbcPersonAttributeDao] - <Executed 'select username, email, firstname, lastname from tablename where {0}' with arguments [User] and got results [{username=User, email=email, firstname=User, lastname=lastname}]>
2013-01-07 11:11:27,395 INFO [org.jasig.cas.authentication.AuthenticationManager Impl] - <Resolved principal User>
2013-01-07 11:11:27,396 INFO [org.jasig.cas.authentication.AuthenticationManager Impl] - <Principal found: User>
2013-01-07 11:11:27,396 DEBUG [org.jasig.cas.authentication.AuthenticationManager Impl] - <Attribute map for User: {username=User, email=User_lastname@abc.com, lastname=Anthony, firstname=User}>
2013-01-07 11:11:27,408 INFO [com.github.inspektr.audit.support.Slf4jLoggingAudi tTrailManager] - <Audit trail record BEGIN
================================================== ===========
WHO: [username: User]
WHAT: supplied credentials: [username: User]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Mon Jan 07 11:11:27 IST 2013
CLIENT IP ADDRESS: 10.66.237.34
SERVER IP ADDRESS: 10.219.66.224
================================================== ===========

>
2013-01-07 11:11:27,419 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistr y] - <Added ticket [TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org] to registry.>
2013-01-07 11:11:27,419 INFO [com.github.inspektr.audit.support.Slf4jLoggingAudi tTrailManager] - <Audit trail record BEGIN
================================================== ===========
WHO: [username: User]
WHAT: TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Mon Jan 07 11:11:27 IST 2013
CLIENT IP ADDRESS: 10.66.237.34
SERVER IP ADDRESS: 10.219.66.224
================================================== ===========

>
2013-01-07 11:11:27,420 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGe nerator] - <Removed cookie with name [CASPRIVACY]>
2013-01-07 11:11:27,420 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGe nerator] - <Added cookie with name [CASTGC] and value [TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org]>
2013-01-07 11:11:27,440 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not generate service.>
2013-01-07 11:11:27,440 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not generate service.>
2013-01-07 11:11:27,445 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Terminate web session 23089437C56F0739F99E422DA649EF05.node1 in 2 seconds>


After calling Logout

2013-01-07 11:11:32,293 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered services.>
2013-01-07 11:11:32,293 DEBUG [org.jasig.cas.services.DefaultServicesManagerImpl] - <Adding registered service ^(https?|imaps?)://.*>
2013-01-07 11:11:32,294 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 1 services.>
2013-01-07 11:13:02,282 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Removing ticket [TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org] from registry.>
2013-01-07 11:13:02,283 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistr y] - <Attempting to retrieve ticket [TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org]>
2013-01-07 11:13:02,283 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistr y] - <Ticket [TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org] found in registry.>
2013-01-07 11:13:02,283 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Ticket found. Expiring and then deleting.>
2013-01-07 11:13:02,283 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistr y] - <Removing ticket [TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org] from registry>
2013-01-07 11:13:02,283 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistr y] - <Attempting to retrieve ticket [TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org]>
2013-01-07 11:13:02,284 INFO [com.github.inspektr.audit.support.Slf4jLoggingAudi tTrailManager] - <Audit trail record BEGIN
================================================== ===========
WHO: audit:unknown
WHAT: TGT-1-UKJCfD6mIbsyaVDfdO0pMTLljacFAzMAlzuJN0iaNN0yy1bExa-cas01.example.org
ACTION: TICKET_GRANTING_TICKET_DESTROYED
APPLICATION: CAS
WHEN: Mon Jan 07 11:13:02 IST 2013
CLIENT IP ADDRESS: 10.66.237.34
SERVER IP ADDRESS: 10.219.66.224
================================================== ===========

>
2013-01-07 11:13:02,284 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGe nerator] - <Removed cookie with name [CASTGC]>
2013-01-07 11:13:02,285 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieGe nerator] - <Removed cookie with name [CASPRIVACY]>
2013-01-07 11:13:02,319 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor did not generate service.>
2013-01-07 11:13:02,320 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - <Extractor did not generate service.>



Thanks,
Mckenzie

[jleleu]

Let's continue this discussion on CAS mailing list : https://lists.wisc.edu/read/messages?id=24938374...

[hcleland]

Hello mckenzie,
Im having this same problem. I successfully deployed our jasig sso in my dev environment in Tomcat7 and works perfectly with single signout. However, after i deployed the same war to our staging environment which uses Resin 4.0 as the server. I am experiencing this perpetual cookie issue in my Resin Server/container. I enabled debug log level and i noticed this:
...
"
2013-06-04 16:11:24,354 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Error getting service from flow state.>
java.lang.IllegalStateException: No active FlowSession to access; this FlowExecution has ended
at org.springframework.webflow.engine.impl.FlowExecut ionImpl.getActiveSession(FlowExecutionImpl.java:19 1)
at org.springframework.webflow.engine.impl.RequestCon trolContextImpl.getFlowScope(RequestControlContext Impl.java:134)
"
...
I followed up on the CAS MailingList and noticed you mentioned some custom settings in TOmcat was the problem. Could you please provide some clarification on what exactly it was so i see how i can solve it in Resin

My version of cas-server is 3.5.2

Thanks

[jleleu]

Hi,

I'm pretty confident that this is not the root cause of your problem.
That said, the easiest way to be sure is to comment the TerminateWebSessionListener in the cas-servlet.xml file and to re-test.
Best regards,
Jérôme

[Brettlee1]

Well, I am unable to understand about this thread. Could anyone give me more information about it??