Hi,
On 08/01/2025 22:13, Christopher Schultz wrote:
[...]
It would allow anyone to force a logout of all current users at will just by
making any request that causes an unauthenticated session to be created.
Instant DOS.
Note that current "maxActiveSessions" implementation also causes a DOS: if you
can create many sessions, it will block new users.
I must look at the application unauthenticated sessions:
- if they are already big, there is already a DOS via OutOfMemory
- if there are small, they would need to be handled specifically, expiring them
first
In any case, as you suggested, the application should not depend on such big
sessions. That's the real solution to avoid any issues!
cu
Pascal Rigaux.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
