This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/11.0.x by this push:
new 71a66af36e Fix authenticationSessionTimeout when sessions have an
infinite timeout
71a66af36e is described below
commit 71a66af36ee5fd6fa26f019bd13e77a697b86940
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed May 7 10:56:42 2025 +0100
Fix authenticationSessionTimeout when sessions have an infinite timeout
---
.../catalina/authenticator/FormAuthenticator.java | 12 +++++++-----
.../apache/catalina/authenticator/SavedRequest.java | 20 +++++++++++++++++---
webapps/docs/changelog.xml | 5 +++++
3 files changed, 29 insertions(+), 8 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java
b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 12dee55245..c53da4f308 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -641,8 +641,8 @@ public class FormAuthenticator extends AuthenticatorBase {
request.getCoyoteRequest().queryString().toStringType();
request.getCoyoteRequest().protocol().toStringType();
- if (saved.getOriginalMaxInactiveInterval() > 0) {
-
session.setMaxInactiveInterval(saved.getOriginalMaxInactiveInterval());
+ if (saved.getOriginalMaxInactiveIntervalOptional().isPresent()) {
+
session.setMaxInactiveInterval(saved.getOriginalMaxInactiveIntervalOptional().getAsInt());
}
return true;
@@ -713,17 +713,19 @@ public class FormAuthenticator extends AuthenticatorBase {
SavedRequest previousSavedRequest = (SavedRequest)
session.getNote(Constants.FORM_REQUEST_NOTE);
if (session.isNew()) {
int originalMaxInactiveInterval = session.getMaxInactiveInterval();
- if (originalMaxInactiveInterval >
getAuthenticationSessionTimeout()) {
+ if (originalMaxInactiveInterval >
getAuthenticationSessionTimeout() || originalMaxInactiveInterval <= 0) {
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
}
- } else if (previousSavedRequest != null &&
previousSavedRequest.getOriginalMaxInactiveInterval() > 0) {
+ } else if (previousSavedRequest != null &&
+
previousSavedRequest.getOriginalMaxInactiveIntervalOptional().isPresent()) {
/*
* The user may have refreshed the browser page during
authentication. Transfer the original max inactive
* interval from previous saved request to current one else, once
authentication is completed, the session
* will retain the shorter authentication session timeout
*/
-
saved.setOriginalMaxInactiveInterval(previousSavedRequest.getOriginalMaxInactiveInterval());
+ saved.setOriginalMaxInactiveInterval(
+
previousSavedRequest.getOriginalMaxInactiveIntervalOptional().getAsInt());
}
// Stash the SavedRequest in our session for later use
diff --git a/java/org/apache/catalina/authenticator/SavedRequest.java
b/java/org/apache/catalina/authenticator/SavedRequest.java
index 28ef581ca0..12804672a6 100644
--- a/java/org/apache/catalina/authenticator/SavedRequest.java
+++ b/java/org/apache/catalina/authenticator/SavedRequest.java
@@ -25,6 +25,7 @@ import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
+import java.util.OptionalInt;
import jakarta.servlet.http.Cookie;
@@ -183,13 +184,26 @@ public final class SavedRequest implements Serializable {
/**
* The original maxInactiveInterval for the session.
*/
- private int originalMaxInactiveInterval = -1;
+ private OptionalInt originalMaxInactiveInterval = OptionalInt.empty();
- public int getOriginalMaxInactiveInterval() {
+ public OptionalInt getOriginalMaxInactiveIntervalOptional() {
return originalMaxInactiveInterval;
}
+ /**
+ * Obtain the original session maxInactiveInterval.
+ *
+ * @return the original session maxInactiveInterval
+ *
+ * @deprecated This method will be removed in Tomcat 12.0.x onwards. Use
+ * {@link
SavedRequest#getOriginalMaxInactiveIntervalOptional()}
+ */
+ @Deprecated
+ public int getOriginalMaxInactiveInterval() {
+ return originalMaxInactiveInterval.orElse(-1);
+ }
+
public void setOriginalMaxInactiveInterval(int
originalMaxInactiveInterval) {
- this.originalMaxInactiveInterval = originalMaxInactiveInterval;
+ this.originalMaxInactiveInterval =
OptionalInt.of(originalMaxInactiveInterval);
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 800c206e6e..311f55458b 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -137,6 +137,11 @@
<bug>69662</bug>: Report name in exception message when a naming lookup
failure occurs. Based on code submitted by Donald Smith. (remm)
</fix>
+ <fix>
+ Ensure that the FORM authentication attribute
+ <code>authenticationSessionTimeout</code> works correctly when sessions
+ have an infinite timeout when authentication starts. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
