"Why are you still using Apache 1? Upgrade to Apache 2 already."

• Because that's what OpenBSD ships -- ajc30

[edit] Storing Usernames in the case.edu Cookie

What are the security implications of storing the person's username (abc12) in the .case.edu cookie? Not in the sense of using it for authentication i.e. relying on the cookie and only the cookie for authentication, just for ease of use with static pages and client side javascript detection of whether or not a person may be logged in and, if so, who they are. -- jms18

Hmmm... the more I think about it, the more I think it would be a bad idea. My idea was something on the order of, when a person is browsing his or her blog entries (the static HTML entries like http://blog.case.edu/jms18/2005/10/04/could_case_run_its_own_serverbased_aggregator), I could use Javascript and determine whether or not the person may be jms18. If so, I could stick a link in there to "go edit this entry." Something like that. But, I think it lends itself to abuse. -- jms18

Why would we store the username in the .case.edu cookie when the username can be easily obtained by the CAS client using service tickets? A properly designed application will record the username in a server-side session. Also, cookies set for the .case.edu domain can be modified by any server in that domain. I could open up my browser and change the contents of the cookie. However, if the state is saved server-side... The only thing I can think of is a web service that when presented with a service ticket would return an XML document containing information pulled from LDAP and possibly other services. --Gregory.Szorc 13:49, October 5, 2005 (EDT)

[edit] Seamless Login to CAS

I want to add a checkbox to the login prompt for our website that will say "log into CAS", and when checked will seamlessly log the user into the CAS system without making them go to the CAS login page (conversely if unchecked they will login only to our system). I looked at the login form for CAS and unless the CAS server is checking the referrer to see where the form posted from, it looks like I could do this by requesting the login page and grabbing the values for all the hidden fields and posting it with the supplied credentials from the user. Is there already a convention for doing this? I read through the docs and it looks like there is a convention for verification that the user is logged into CAS, but none for logging someone in the first time without sending them to the login page. Any help or comments would be appreciated. Thanks.

Currently, it is not possible to log someone into CAS without sending them to the web form on login.case.edu. To create a button to log into CAS, just create a form whose action is https://login.case.edu/cas/login and have a hidden form variable service which is the URL they will get redirected to after they post their credentials. --Gregory.Szorc 20:13, May 23, 2006 (EDT)

If it is not possible at the moment, it definitely looks like it could work based on http://www.ja-sig.org/products/cas/overview/protocol/index.html sections 2.2.1 and 2.2.2. Unless our implementation has imposed more restrictions than what is described here, there seem to be no inherent limitations on posting to /login minus the three required parameters of username, password and a unique LT. That seems easy enough, but there must be something else going on under the hood, because if it was that easy you would have said so. Thanks.