[Bug 67793] FORM authenticator does not remember original max inactive interval in all use-cases

Fri, 27 Oct 2023 02:16:17 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=67793

--- Comment #1 from Channa <channa.puchakay...@gmail.com> ---
Hi All,

We are also facing same issue, it is same as mail sent to mailing list
"us...@tomcat.apache.org" with subject "Tomcat 9.0.75 ignoring session timeout
configured in tomcat conf web.xml"


Details Below
==============
Tomcat Version : 9.0.75
Operating System: Windows and Linux
Bits: 64   

Tomcat 9.0.75 not honoring  session timeout configured in tomcat/conf/web.xml
for FORM Authentication and it is effecting customers.
==========================
   <session-config>
        <session-timeout>30</session-timeout> // 30 minutes
    </session-config>
=========================

Verified the Tomcat source code
-       FormAuthenticator overriding above configured session timeout setting
(30 minutes)  with value (120 seconds) 
-       As per FormAuthenticator.Java, this change/issue started from Tomcat
Version : 9.0.74 for FORM Authentication and it overwrites the original
session-timeout value
-       This issue/behavior not observed in 9.0.73

Verified the Tomcat documentation 
-       Verified the tomcat changelog, there is a fix/change went in Tomcat
9.0.74 below related to FORM Based Authentication Session @
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html, looks which is causing
this issue.
------------------------------------------------------------------------------------------------------------------------------
Harden the FORM authentication process against DoS attacks by using a reduced
session timeout if the FORM authentication process creates a session. The
duration of this timeout is configured by the authenticationSessionTimeout
attribute of the FORM authenticator. (markt)
-------------------------------------------------------------------------------------------------------------------------

Could you please fix this bug and help.


Thanks
Channa

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to