Mishandling of Session State

[ceharris]

If a user's browser navigates repeatedly to an application without completing the CAS login process, the result is a 403 error from the target application.

On the first request to the target application, no session state exists, and the extension sets the CAS cookie to value 0 and redirects to the login URI. On the second request to target application the extension changes the cookie value to non-zero and redirects to login. On the third request to the target application, because the cookie is already non-zero, no redirect occurs (as the extension concludes that CAS login has already been completed and/or failed, and since the user is not yet logged in via CAS the user has no identity or roles in the target application, and so a 403 error is returned.

[sfuhrm]

@ceharris I think this is desired behaviour. For our 403 errors I get

2020-01-31 11:07:18,830 DEBUG [org.soulwing.cas.undertow] (default task-163) authentication failed: too many retries

The cas-status cookie is actually just a counter counting the number of attempts and failing at public static final int MAX_RETRIES = 2;

It is questionable to store the retry count in a client cookie (which a possible attacker can control).

[sfuhrm]

Added a PR to remove the cookie, see #18
Feel free to test this with your issue.