Robert Bradley <robert.brad...@it.ox.ac.uk> writes:
> I'm currently in the process of performing an upgrade of our Webauth
> cluster from Webauth 3.7.4 (Debian squeeze) to 4.6.1 (Debian jessie).
> This process has gone very well despite the large jump in versions and
> the switch to Template Toolkit for templating. However, I have run into
> a small problem with login timeouts. At present, if a user leaves the
> login page for over 5 minutes before entering their username and
> password, they get a message saying that they took too long to log in.
> When I try the same thing with the new Webauth 4 servers though, the
> user is successfully logged in. I can replicate this easily even when
> setting "WebKdcTokenMaxTTL 30s" and "WebKdcLoginTimeLimit 30s" in Apache
> to deliberately reduce the timeouts.
> There is probably some misunderstanding on my part here, but I was
> wondering if anyone else had seen this?
WebKdcTokenMaxTTL should be controlling this.... (WebKdcLoginTimeLimit is
something different.)
Oh.
So, this patch might help:
--- a/modules/webkdc/mod_webkdc.c
+++ b/modules/webkdc/mod_webkdc.c
@@ -990,9 +990,11 @@ parse_request_token(MWK_REQ_CTXT *rc, const char *token,
/* Copy the token and do some additional checks. */
*rt = &data->token.request;
expiration = (*rt)->creation + rc->sconf->token_max_ttl;
- if (expiration < time(NULL))
+ if (expiration < time(NULL)) {
set_errorResponse(rc, WA_PEC_REQUEST_TOKEN_STALE,
"request token was stale", mwk_func, false);
+ return MWK_ERROR;
+ }
return MWK_OK;
}
Looks like I introduced that bug in WebAuth 4.0.0 and no one ever noticed.
(Note that there's no actual private data in the login request, so it's
not clear that there's any important security reason to use an aggressive
timeout here.)
--
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>
