Phil Ames

Can you also add tests for this new functionality? I should state that I'm not 100% sold on the benefit of this just yet, at least for 'default enabled' mode...

I think if you're using a browser that doesn't support httpOnly in 2014 (>99% support since 2011 according to https://www.owasp.org/index.php/HttpOnly#Browsers_Supporting_HttpOnly), you have far bigger problems than session hijacking :-) Your...

OK, this LGTM modulo that TODO assuming it doesn't break any existing tests. Other random thoughts (don't necessarily have to be addressed in this PR, but just things to talk...

Another thought came to me. If you have different CAS servers for different URLs, then that means the authentication cookie should be bound to the CAS server it came from....

I do think we should resolve https://github.com/Jasig/mod_auth_cas/pull/36#issuecomment-10226107 before merging this. Path might be nice-to-have, but since the path of a URI is not the strongest security boundary (XSS anywhere else...

Thanks for reporting this. To help us better assess the severity of this, can you also share the following information? 1) mod_auth_cas version you are using (if on a distribution,...

@cschofld thanks for providing the additional extra detail. So, I am not aware of any browser which will actually take action when the response code is a 302 but more...

@dhawes OK I had some time to look at how we use that function, and the implementation as well. Looks like that interface was added to APR in 2013. The...

OK, I think I addressed all your comments, and I _tried_ to rebase/squash but I have no clue if I did it right :-)

As the person responsible for the bulk of the original atrocities in the code here, I feel an obligation to chime in: The check was added because there is/was essentially...