This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 738ad8844e Fix BZ 67793 - use correct session timeout after refresh
during auth
738ad8844e is described below
commit 738ad8844e522306a5dd5faebef4f03f4856fc54
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Nov 2 11:04:19 2023 +0000
Fix BZ 67793 - use correct session timeout after refresh during auth
https://bz.apache.org/bugzilla/show_bug.cgi?id=67793
---
.../catalina/authenticator/FormAuthenticator.java | 20 +++++++++++++++-----
webapps/docs/changelog.xml | 6 ++++++
2 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java
b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index d54cc62182..52b76ea398 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -716,11 +716,21 @@ public class FormAuthenticator extends AuthenticatorBase {
saved.setRequestURI(request.getRequestURI());
saved.setDecodedRequestURI(request.getDecodedRequestURI());
- if (session instanceof HttpSession && ((HttpSession) session).isNew())
{
- int originalMaxInactiveInterval = session.getMaxInactiveInterval();
- if (originalMaxInactiveInterval >
getAuthenticationSessionTimeout()) {
-
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
-
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
+ SavedRequest previousSavedRequest = (SavedRequest)
session.getNote(Constants.FORM_REQUEST_NOTE);
+ if (session instanceof HttpSession) {
+ if (((HttpSession) session).isNew()) {
+ int originalMaxInactiveInterval =
session.getMaxInactiveInterval();
+ if (originalMaxInactiveInterval >
getAuthenticationSessionTimeout()) {
+
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
+
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
+ }
+ } else if (previousSavedRequest != null &&
previousSavedRequest.getOriginalMaxInactiveInterval() > 0) {
+ /*
+ * The user may have refreshed the browser page during
authentication. Transfer the original max inactive
+ * interval from previous saved request to current one else,
once authentication is completed, the session
+ * will retain the the shorter authentication session timeout
+ */
+
saved.setOriginalMaxInactiveInterval(previousSavedRequest.getOriginalMaxInactiveInterval());
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8458aaf009..4f32b549d0 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -121,6 +121,12 @@
Optionally allow ServiceBindingPropertySource to trim a trailing
newline
from a file containing a property-value. (schultz)
</update>
+ <fix>
+ <bug>67793</bug>: Ensure the original session timeout is restored after
+ FORM authentication if the user refreshes a page during the FORM
+ authentication process. Based on a suggestion by Mircea Butmalai.
+ (markt)
+ </fix>
<update>
<bug>67926</bug>: <code>PEMFile</code> prints unidentifiable string
representation of ASN.1 OIDs. (michaelo)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
