1. Do not cross-post the same question to multiple lists.
2. Do not post the same question multiple times if you don't get an
answer as quickly as you would like. We all all volunteers here. If you
want a guaranteed SLA then pick you preferred vendor and pay for support.
Mark
27 Oct 2023 05:07:20 Channa Puchakayala
<channa.puchakay...@broadcom.com.INVALID>:
Hi All,
Tomcat Version : 9.0.75
Operating System: Windows and Linux
Bits: 64
Tomcat 9.0.75 not honoring session timeout configured in
tomcat/conf/web.xml for FORM Authentication and it is effecting
customers.
==========================
<session-config>
<session-timeout>30</session-timeout> // 30 minutes
</session-config>
=========================
Verified the Tomcat source code
- FormAuthenticator overriding above configured session timeout
setting (30 minutes) with value (120 seconds)
- As per FormAuthenticator.Java, this change/issue started from
Tomcat Version : 9.0.74 for FORM Authentication and it overwrites the
original session-timeout value
- This issue/behavior not observed in 9.0.73
Verified the Tomcat documentation
- Verified the tomcat changelog, there is a fix/change went in
Tomcat 9.0.74 below related to FORM Based Authentication Session @
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html, looks which is
causing this issue.
------------------------------------------------------------------------------------------------------------------------------
Harden the FORM authentication process against DoS attacks by using a
reduced session timeout if the FORM authentication process creates a
session. The duration of this timeout is configured by
the *authenticationSessionTimeout* attribute of the FORM authenticator.
(markt)
-------------------------------------------------------------------------------------------------------------------------
Is it bug ? Could you please help/suggest.
Thanks
Channa
This electronic communication and the information and any files
transmitted with it, or attached to it, are confidential and are
intended solely for the use of the individual or entity to whom it is
addressed and may contain information that is confidential, legally
privileged, protected by privacy laws, or otherwise restricted from
disclosure to anyone else. If you are not the intended recipient or the
person responsible for delivering the e-mail to the intended recipient,
you are hereby notified that any use, copying, distributing,
dissemination, forwarding, printing, or copying of this e-mail is
strictly prohibited. If you received this e-mail in error, please
return the e-mail to the sender, delete it from your computer, and
destroy any printed copy of it.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
