https://bz.apache.org/bugzilla/show_bug.cgi?id=67793
Bug ID: 67793
Summary: FORM authenticator does not remember original max
inactive interval in all use-cases
Product: Tomcat 10
Version: 10.1.8
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: mircea.butma...@radcom.ro
Target Milestone: ------
There is a use-case when FROM authenticator does not remember original session
inactive timeout value and (after successful authentication) the session
inactive timeout remains at default 2 minutes value which is very low for a
default web session.
Example use case is as follows:
1. You access a protected resource for the first time. At this point the FORM
authenticator forwards to login page and saves data from original request to
session note Constants.FORM_REQUEST_NOTE including sesion original inactive
timeout value and resets temporarly the session inactive timeout to 2 minutes
(default value)
2. You refresh page from browser inside 2 minutes timeframe. At this point the
FORM authenticator forwards again to login page and saves again data from this
request.
AT THIS POINT: you loose the original inactive timeout, because at step 1 the
session inactive timeout was set to 2 minutes.
In order to correct this use case we propose to change the code from class
org.apache.catalina.authenticator.FormAuthenticator in tomcat-catalina as
follows:
line 719 (as of release 10.1.13) which now has the following contents:
if (session instanceof HttpSession && ((HttpSession) session).isNew())
{
int originalMaxInactiveInterval = session.getMaxInactiveInterval();
if (originalMaxInactiveInterval >
getAuthenticationSessionTimeout()) {
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
}
}
change it to the following contents:
final SavedRequest oldSaved = (SavedRequest)
session.getNote(Constants.FORM_REQUEST_NOTE);
if (session instanceof HttpSession) {
final HttpSession httpSession = (HttpSession) session;
if (httpSession.isNew()) {
final int originalMaxInactiveInterval =
session.getMaxInactiveInterval();
if (originalMaxInactiveInterval > authenticationSessionTimeout)
{
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
session.setMaxInactiveInterval(authenticationSessionTimeout);
}
} else if ((oldSaved != null) &&
(oldSaved.getOriginalMaxInactiveInterval() > 0)) {
saved.setOriginalMaxInactiveInterval(oldSaved.getOriginalMaxInactiveInterval());
}
}
PS: the problem seems to exist also in current release of Tomcat 11.x, Tomcat
8.5.x, Tomcat 9.0.x
Best regards.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
