[jira] [Commented] (HADOOP-18030) Authentication cookie will never expire by default after HADOOP-12049

Thu, 02 Dec 2021 11:25:06 -0800 


    [ 
https://issues.apache.org/jira/browse/HADOOP-18030?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452569#comment-17452569
 ] 

Larry McCay commented on HADOOP-18030:
--------------------------------------

[~lalapala] - this JIRA seems to articulate exactly what HADOOP-12049 says that 
it is doing.
Are you saying that we need to set expires when isCoookiePersistent is false as 
well - in other words, for session cookies?

As I understand HADOOP-12049, the previous implementation only had persistent 
or permanent cookies which include an expires attribute.
The change there was to introduce session cookies which do not have an expires 
attribute and by default we assume session cookies.
Perhaps there was a backward compatibility issue there for default behavior but 
it seems to be what I would expect with the stated intent of that change.

So, do you have a unit test or something that indicates that there is some gap 
with the current implementation?


> Authentication cookie will never expire by default after HADOOP-12049
> ---------------------------------------------------------------------
>
>                 Key: HADOOP-18030
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18030
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.1.0
>            Reporter: gaozhan ding
>            Priority: Major
>
> Whlie create auth cookie for client, AuthenticationFilter will add "Expires"  
> attribute for the cookie if needed. But after 
> https://issues.apache.org/jira/browse/HADOOP-12049, it never enter the code 
> block by default.
>  
>  
> {code:java}
> // AuthenticationFilter
> public static void createAuthCookie(HttpServletResponse resp, String token,
>                                     String domain, String path, long expires,
>                                     boolean isCookiePersistent,
>                                     boolean isSecure) {
>   //...
>   //By default, isCookiePersistent = false
>   if (expires >= 0 && isCookiePersistent) {
>     Date date = new Date(expires);
>     SimpleDateFormat df = new SimpleDateFormat("EEE, " +
>             "dd-MMM-yyyy HH:mm:ss zzz");
>     df.setTimeZone(TimeZone.getTimeZone("GMT"));
>     sb.append("; Expires=").append(df.format(date));
>   }
>   //...
> }{code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to