DO NOT REPLY [Bug 29956] New: - Incorrect handling of negative timeout in SingleSignOn.sessionEvent()

bugzilla Wed, 07 Jul 2004 11:01:22 -0700

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=29956>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.


http://issues.apache.org/bugzilla/show_bug.cgi?id=29956

Incorrect handling of negative timeout in SingleSignOn.sessionEvent()

           Summary: Incorrect handling of negative timeout in
                    SingleSignOn.sessionEvent()
           Product: Tomcat 4
           Version: 4.1.30
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Catalina
        AssignedTo: [EMAIL PROTECTED]
        ReportedBy: [EMAIL PROTECTED]


When SingleSignOn.sessionEvent() is handling a destroyed session, it checks
whether the session is expiring because it timed out or because it was
explicitly logged out.  This check fails to account for the negative timeout
case.  To fix, at line 387, replace:

        if (System.currentTimeMillis() - session.getLastAccessedTime() >=
                session.getMaxInactiveInterval() * 1000) {            

with

        if ((session.getMaxInactiveInterval() > 0) &&
            (System.currentTimeMillis() - session.getLastAccessedTime() >=
                session.getMaxInactiveInterval() * 1000) {

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

DO NOT REPLY [Bug 29956] New: - Incorrect handling of negative timeout in SingleSignOn.sessionEvent()

Reply via email to