Tomcat 9.0.74 change causes not honoring session timeout configured in tomcat web.xml for FORM Authentication

Thu, 26 Oct 2023 21:40:57 -0700 

Hi All,



Tomcat Version : 9.0.74

Operating System: Windows and Linux

Bits: 64



Tomcat 9.0.74 not honoring  session timeout configured in
tomcat/conf/web.xml for FORM Authentication and it is effecting customers.

==========================

   <session-config>

        <session-timeout>30</session-timeout> // 30 minutes

    </session-config>

=========================



Verified the Tomcat source code

-        FormAuthenticator overriding above configured session timeout
setting (30 minutes)  with value (120 seconds)

-        As per FormAuthenticator.Java, this change/issue started from
Tomcat Version : 9.0.74 for FORM Authentication and it overwrites the
original session-timeout value

-        This issue/behavior not observed in 9.0.73



Verified the Tomcat documentation

-        Verified the tomcat changelog, there is a fix/change went in
Tomcat 9.0.74 below related to FORM Based Authentication Session @
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html, looks which is
causing this issue.

------------------------------------------------------------------------------------------------------------------------------

Harden the FORM authentication process against DoS attacks by using a
reduced session timeout if the FORM authentication process creates a
session. The duration of this timeout is configured by the
authenticationSessionTimeout attribute of the FORM authenticator. (markt)

-------------------------------------------------------------------------------------------------------------------------



Is it bug ? Could you please help/suggest.



Thanks

Channa

-- 
This electronic communication and the information and any files transmitted 
with it, or attached to it, are confidential and are intended solely for 
the use of the individual or entity to whom it is addressed and may contain 
information that is confidential, legally privileged, protected by privacy 
laws, or otherwise restricted from disclosure to anyone else. If you are 
not the intended recipient or the person responsible for delivering the 
e-mail to the intended recipient, you are hereby notified that any use, 
copying, distributing, dissemination, forwarding, printing, or copying of 
this e-mail is strictly prohibited. If you received this e-mail in error, 
please return the e-mail to the sender, delete it from your computer, and 
destroy any printed copy of it.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to