casjasig

How CAS server TGT cookie should be protected?


Our project is going to implement SSO recently, and I learned about some SSO methods and products, CAS is the very one I want to use, but some questions of our member I cannot answer, hope the authorities can help here:

Since CAS server TGT cookie is stored in the browser, once it's stolen or be copied to other machine, the other people can also login the WebApp as long as the TGT is not expired.

So, any method to protect against this scenario? or how should I consider about this scennaro?

Besides, what's the essential difference between cookie sharing sso (for example Webapp A and B combined by nginx) and CAS, since they are both based on cookies ?


Solution

  • The cookie is encrypted and signed. If it gets stolen, it's always cross checked against what the server knows.