This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 02891156ce Fix authenticationSessionTimeout when sessions have an
infinite timeout
02891156ce is described below
commit 02891156ce0509d5c8bb3731fec824446f5d9c1f
Author: Mark Thomas <[email protected]>
AuthorDate: Wed May 7 10:56:42 2025 +0100
Fix authenticationSessionTimeout when sessions have an infinite timeout
---
.../catalina/authenticator/FormAuthenticator.java | 18 ++++++++++--------
.../apache/catalina/authenticator/SavedRequest.java | 20 +++++++++++++++++---
webapps/docs/changelog.xml | 5 +++++
3 files changed, 32 insertions(+), 11 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java
b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index ab99aa1987..d18d7ab9cd 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -646,8 +646,8 @@ public class FormAuthenticator extends AuthenticatorBase {
request.getCoyoteRequest().queryString().toStringType();
request.getCoyoteRequest().protocol().toStringType();
- if (saved.getOriginalMaxInactiveInterval() > 0) {
-
session.setMaxInactiveInterval(saved.getOriginalMaxInactiveInterval());
+ if (saved.getOriginalMaxInactiveIntervalOptional().isPresent()) {
+
session.setMaxInactiveInterval(saved.getOriginalMaxInactiveIntervalOptional().getAsInt());
}
return true;
@@ -719,17 +719,19 @@ public class FormAuthenticator extends AuthenticatorBase {
if (session instanceof HttpSession) {
if (((HttpSession) session).isNew()) {
int originalMaxInactiveInterval =
session.getMaxInactiveInterval();
- if (originalMaxInactiveInterval >
getAuthenticationSessionTimeout()) {
+ if (originalMaxInactiveInterval >
getAuthenticationSessionTimeout() || originalMaxInactiveInterval <= 0) {
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
}
- } else if (previousSavedRequest != null &&
previousSavedRequest.getOriginalMaxInactiveInterval() > 0) {
+ } else if (previousSavedRequest != null &&
+
previousSavedRequest.getOriginalMaxInactiveIntervalOptional().isPresent()) {
/*
- * The user may have refreshed the browser page during
authentication. Transfer the original max
- * inactive interval from previous saved request to current
one else, once authentication is completed,
- * the session will retain the the shorter authentication
session timeout
+ * The user may have refreshed the browser page during
authentication. Transfer the original max inactive
+ * interval from previous saved request to current one else,
once authentication is completed, the session
+ * will retain the shorter authentication session timeout
*/
-
saved.setOriginalMaxInactiveInterval(previousSavedRequest.getOriginalMaxInactiveInterval());
+ saved.setOriginalMaxInactiveInterval(
+
previousSavedRequest.getOriginalMaxInactiveIntervalOptional().getAsInt());
}
}
diff --git a/java/org/apache/catalina/authenticator/SavedRequest.java
b/java/org/apache/catalina/authenticator/SavedRequest.java
index a1ce589abe..b346ce79bc 100644
--- a/java/org/apache/catalina/authenticator/SavedRequest.java
+++ b/java/org/apache/catalina/authenticator/SavedRequest.java
@@ -24,6 +24,7 @@ import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
+import java.util.OptionalInt;
import jakarta.servlet.http.Cookie;
@@ -181,13 +182,26 @@ public final class SavedRequest implements Serializable {
/**
* The original maxInactiveInterval for the session.
*/
- private int originalMaxInactiveInterval = -1;
+ private OptionalInt originalMaxInactiveInterval = OptionalInt.empty();
- public int getOriginalMaxInactiveInterval() {
+ public OptionalInt getOriginalMaxInactiveIntervalOptional() {
return originalMaxInactiveInterval;
}
+ /**
+ * Obtain the original session maxInactiveInterval.
+ *
+ * @return the original session maxInactiveInterval
+ *
+ * @deprecated This method will be removed in Tomcat 12.0.x onwards. Use
+ * {@link
SavedRequest#getOriginalMaxInactiveIntervalOptional()}
+ */
+ @Deprecated
+ public int getOriginalMaxInactiveInterval() {
+ return originalMaxInactiveInterval.orElse(-1);
+ }
+
public void setOriginalMaxInactiveInterval(int
originalMaxInactiveInterval) {
- this.originalMaxInactiveInterval = originalMaxInactiveInterval;
+ this.originalMaxInactiveInterval =
OptionalInt.of(originalMaxInactiveInterval);
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 04ef6e47a3..d0315814ef 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -146,6 +146,11 @@
<bug>69662</bug>: Report name in exception message when a naming lookup
failure occurs. Based on code submitted by Donald Smith. (remm)
</fix>
+ <fix>
+ Ensure that the FORM authentication attribute
+ <code>authenticationSessionTimeout</code> works correctly when sessions
+ have an infinite timeout when authentication starts. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
