CAS Protocosl Trace
I go to myum, but get redirected the HTTPS. The redirect is by the Location: header in the response. A ASPSESSION cookie is being set, but that's Active Server Pages and is not part of CAS (or should not be part of CAS).
http://myum.miami.edu/ GET / HTTP/1.1 Host: myum.miami.edu User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive HTTP/1.x 302 Object moved Date: Wed, 09 Apr 2008 17:16:41 GMT Server: Microsoft-IIS/6.0 PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2005.06.29T11:25-0400" exp "2008.07.01T12:00-0400" r (v 0 s 0 n 0 l 0)) Location: https://myum.miami.edu/ Content-Length: 144 Content-Type: text/html Set-Cookie: ASPSESSIONIDCSQCDBAC=AIMDPPFCKHHGNFCBNMCJCCNP; path=/ Cache-Control: private
The request is now made to myum by https. A redirect is made to the CAS login service. The GET command has the ULR to return after authentication embedded as part of the query string. Notice the return of the cookieto myum, and the setting of another cookie.
https://myum.miami.edu/ GET / HTTP/1.1 Host: myum.miami.edu User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: ASPSESSIONIDCSQCDBAC=AIMDPPFCKHHGNFCBNMCJCCNP HTTP/1.x 302 Object moved Date: Wed, 09 Apr 2008 17:16:42 GMT Server: Microsoft-IIS/6.0 PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2005.06.29T11:25-0400" exp "2008.07.01T12:00-0400" r (v 0 s 0 n 0 l 0)) Pragma: no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT, Wed, 09 Apr 2008 17:16:42 GMT Location: https://caneid.miami.edu/cas/login?service=https://myum.miami.edu/idcheck.asp Content-Length: 198 Content-Type: text/html Set-Cookie: ASPSESSIONIDCAAQDACC=FBFDBFGCOAEFNKLOFDKNAOFM; path=/ Cache-Control: private
The browser now goes to the CAS login service. Not shown is that the service returns the visuals of a login page.
https://caneid.miami.edu/cas/login?service=https://myum.miami.edu/idcheck.asp GET /cas/login?service=https://myum.miami.edu/idcheck.asp HTTP/1.1 Host: caneid.miami.edu User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive HTTP/1.x 200 OK Date: Wed, 09 Apr 2008 17:16:42 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Pragma: no-cache Cache-Control: no-store Expires: Wed, 31 Dec 1969 23:59:59 GMT Content-Type: text/html;charset=ISO-8859-1 Content-Length: 6348 [not shown .. HTML for a FORM with username and password textboxes]
I return the FROM. A POST action returns the values from the form in the headers. The server response sets a Ticket Granting Cookie in the response, and redirects back to myum, using the service value as a base, and appending the ticket as a query to the GET.
For some reason, Location: is not being used for the redirect. It might be because the HTTP headers must be set up early, and the CAS decision is done late. Redirects are also possible in the HTML using META tags. My guess is that is what is being done here.
Note well that my password is in this message in the clear. Because https is being used, this might be safe. Ascertain confidentiality and ascertain authenticity. However also be aware of the weakness here, and of the possibilities if, for instance, cross-site scripting or a damaged CAS proxy were introduced.
https://caneid.miami.edu/cas/login?service=https://myum.miami.edu/idcheck.asp POST /cas/login?service=https://myum.miami.edu/idcheck.asp HTTP/1.1 Host: caneid.miami.edu User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://caneid.miami.edu/cas/login?service=https://myum.miami.edu/idcheck.asp Content-Type: application/x-www-form-urlencoded Content-Length: 84 username=brosenberg&password=xxxxxxxxxxxxx<=LT-236844-tABFrkK5AIpywjhgCTpQ&submit=Login HTTP/1.x 200 OK Date: Wed, 09 Apr 2008 17:16:52 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET Pragma: no-cache Cache-Control: no-store Expires: Wed, 31 Dec 1969 23:59:59 GMT Set-Cookie: CASTGC=TGC-174620-TxaDMi8N3GHTGES8lKNCGW0SqNY9K2SoV20l7aKLfLJbNA4QLy; Path=/cas; Secure Content-Type: text/html;charset=ISO-8859-1 Content-Length: 2240 [note shown, and not certain, a META tag redirecting to https://myum.miami.edu/idcheck.asp?ticket=ST-204774-qGEzLSccHjIfb0uxBfgj ]
Here is the redirect back, with the ticket. Not shown is the final step in the protocol, because it does not involve the browser. The service (in this case myum) will show the ticket to CAS, using the validation URL, to get an assurance that the ticket is valid. Returned with that YES or NO response will be the username used in the authorization. This is a one time ticket. Once validated the CAS service will refuse additional requests to valide this ticket.
https://myum.miami.edu/idcheck.asp?ticket=ST-204774-qGEzLSccHjIfb0uxBfgj GET /idcheck.asp?ticket=ST-204774-qGEzLSccHjIfb0uxBfgj HTTP/1.1 Host: myum.miami.edu User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://caneid.miami.edu/cas/login?service=https://myum.miami.edu/idcheck.asp Cookie: ASPSESSIONIDCSQCDBAC=AIMDPPFCKHHGNFCBNMCJCCNP; ASPSESSIONIDCAAQDACC=FBFDBFGCOAEFNKLOFDKNAOFM HTTP/1.x 302 Object moved Date: Wed, 09 Apr 2008 17:16:54 GMT Server: Microsoft-IIS/6.0 PICS-Label: (PICS-1.0 "http://www.rsac.org/ratingsv01.html" l on "2005.06.29T11:25-0400" exp "2008.07.01T12:00-0400" r (v 0 s 0 n 0 l 0)) Pragma: no-cache, no-cache Expires: Tue, 04 Dec 1993 21:29:02 GMT, Tue, 04 Dec 1993 21:29:02 GMT, Wed, 09 Apr 2008 17:16:53 GMT Location: https://myum.miami.edu/myUMMain.asp Content-Length: 156 Content-Type: text/html Cache-Control: private