(tomcat) branch 11.0.x updated: Fix authenticationSessionTimeout when sessions have an infinite timeout

Wed, 07 May 2025 02:57:55 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new 71a66af36e Fix authenticationSessionTimeout when sessions have an 
infinite timeout
71a66af36e is described below

commit 71a66af36ee5fd6fa26f019bd13e77a697b86940
Author: Mark Thomas <[email protected]>
AuthorDate: Wed May 7 10:56:42 2025 +0100

    Fix authenticationSessionTimeout when sessions have an infinite timeout
---
 .../catalina/authenticator/FormAuthenticator.java    | 12 +++++++-----
 .../apache/catalina/authenticator/SavedRequest.java  | 20 +++++++++++++++++---
 webapps/docs/changelog.xml                           |  5 +++++
 3 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java 
b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 12dee55245..c53da4f308 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -641,8 +641,8 @@ public class FormAuthenticator extends AuthenticatorBase {
         request.getCoyoteRequest().queryString().toStringType();
         request.getCoyoteRequest().protocol().toStringType();
 
-        if (saved.getOriginalMaxInactiveInterval() > 0) {
-            
session.setMaxInactiveInterval(saved.getOriginalMaxInactiveInterval());
+        if (saved.getOriginalMaxInactiveIntervalOptional().isPresent()) {
+            
session.setMaxInactiveInterval(saved.getOriginalMaxInactiveIntervalOptional().getAsInt());
         }
 
         return true;
@@ -713,17 +713,19 @@ public class FormAuthenticator extends AuthenticatorBase {
         SavedRequest previousSavedRequest = (SavedRequest) 
session.getNote(Constants.FORM_REQUEST_NOTE);
         if (session.isNew()) {
             int originalMaxInactiveInterval = session.getMaxInactiveInterval();
-            if (originalMaxInactiveInterval > 
getAuthenticationSessionTimeout()) {
+            if (originalMaxInactiveInterval > 
getAuthenticationSessionTimeout() || originalMaxInactiveInterval <= 0) {
                 
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
                 
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
             }
-        } else if (previousSavedRequest != null && 
previousSavedRequest.getOriginalMaxInactiveInterval() > 0) {
+        } else if (previousSavedRequest != null &&
+                
previousSavedRequest.getOriginalMaxInactiveIntervalOptional().isPresent()) {
             /*
              * The user may have refreshed the browser page during 
authentication. Transfer the original max inactive
              * interval from previous saved request to current one else, once 
authentication is completed, the session
              * will retain the shorter authentication session timeout
              */
-            
saved.setOriginalMaxInactiveInterval(previousSavedRequest.getOriginalMaxInactiveInterval());
+            saved.setOriginalMaxInactiveInterval(
+                    
previousSavedRequest.getOriginalMaxInactiveIntervalOptional().getAsInt());
         }
 
         // Stash the SavedRequest in our session for later use
diff --git a/java/org/apache/catalina/authenticator/SavedRequest.java 
b/java/org/apache/catalina/authenticator/SavedRequest.java
index 28ef581ca0..12804672a6 100644
--- a/java/org/apache/catalina/authenticator/SavedRequest.java
+++ b/java/org/apache/catalina/authenticator/SavedRequest.java
@@ -25,6 +25,7 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.OptionalInt;
 
 import jakarta.servlet.http.Cookie;
 
@@ -183,13 +184,26 @@ public final class SavedRequest implements Serializable {
     /**
      * The original maxInactiveInterval for the session.
      */
-    private int originalMaxInactiveInterval = -1;
+    private OptionalInt originalMaxInactiveInterval = OptionalInt.empty();
 
-    public int getOriginalMaxInactiveInterval() {
+    public OptionalInt getOriginalMaxInactiveIntervalOptional() {
         return originalMaxInactiveInterval;
     }
 
+    /**
+     * Obtain the original session maxInactiveInterval.
+     *
+     * @return the original session maxInactiveInterval
+     *
+     * @deprecated This method will be removed in Tomcat 12.0.x onwards. Use
+     *                 {@link 
SavedRequest#getOriginalMaxInactiveIntervalOptional()}
+     */
+    @Deprecated
+    public int getOriginalMaxInactiveInterval() {
+        return originalMaxInactiveInterval.orElse(-1);
+    }
+
     public void setOriginalMaxInactiveInterval(int 
originalMaxInactiveInterval) {
-        this.originalMaxInactiveInterval = originalMaxInactiveInterval;
+        this.originalMaxInactiveInterval = 
OptionalInt.of(originalMaxInactiveInterval);
     }
 }
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 800c206e6e..311f55458b 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -137,6 +137,11 @@
         <bug>69662</bug>: Report name in exception message when a naming lookup
         failure occurs. Based on code submitted by Donald Smith. (remm)
       </fix>
+      <fix>
+        Ensure that the FORM authentication attribute
+        <code>authenticationSessionTimeout</code> works correctly when sessions
+        have an infinite timeout when authentication starts. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to