On Thu, Jan 9, 2025 at 1:31 PM Pascal Rigaux <pascal.rig...@univ-paris1.fr.invalid> wrote: > > Hi, > > On 08/01/2025 22:13, Christopher Schultz wrote: > > [...] > > It would allow anyone to force a logout of all current users at will just > > by making any request that causes an unauthenticated session to be created. > > > > Instant DOS. > > Note that current "maxActiveSessions" implementation also causes a DOS: if > you can create many sessions, it will block new users.
Note that proposed "maxActiveSessions" implementation also causes a DOS: if you can create many sessions, it will block all users as they will get logged out almost instantly. It goes both ways ... Rémy > I must look at the application unauthenticated sessions: > - if they are already big, there is already a DOS via OutOfMemory > - if there are small, they would need to be handled specifically, expiring > them first > > In any case, as you suggested, the application should not depend on such big > sessions. That's the real solution to avoid any issues! > > cu > Pascal Rigaux. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
