Re: [cas-user] renew=true, risk of bypassing?

['Richard Frovarp' via CAS Community]

Part of the response metadata coming back is if the authentication is 
from a new login. I think it will also tell you what time the auth 
happened. Don't trust the user provided data, validate that what CAS is 
telling you matches your security requirement. If it doesn't, don't let 
them pass.

On 8/16/22 12:13, Pablo Vidaurri wrote:
So I have an application with certain parts allowing a  long SSO 
session and other areas that require login every time.

I know I can leverage the renew query parameter but how to avoid the 
user from simply removing it and then access the secured part of the 
app without logging in again?

For example, I want the user to provide their credentials every time 
they access their profile. So if there is already have an active 
session for https://www.myapp.com and they access their profile, i 
will redirect them to 
https://www.mycas.com/auth/login?renew=true&TARGET=https://www.myapp.com/myprofile

This works, but I can also remove the renew query parameter and 
directly hit myprofile page since I already have a session to the app.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google 
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ea11170-164e-4408-bc66-422bf188c108n%40apereo.org 
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/3ea11170-164e-4408-bc66-422bf188c108n%40apereo.org?utm_medium=email&utm_source=footer>.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/97bfa18a-9e8c-eb4c-b2fe-39bcac657d7a%40ndsu.edu.