The proposal does not create instant DOS, because applications can always create new session if the old session is closed. Instead the current behavior creates instant DOS, as no new sessions can be created. 😊 Although the current behavior is still probably the better option, so that at least existing sessions can work normally.
-Harri -----Original Message----- From: Rémy Maucherat <r...@apache.org> Sent: torstai 9. tammikuuta 2025 14.40 To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: session Manager "maxActiveSessions" alternative behavior : allow new session but expire old session On Thu, Jan 9, 2025 at 1:31 PM Pascal Rigaux <pascal.rig...@univ-paris1.fr.invalid> wrote: > > Hi, > > On 08/01/2025 22:13, Christopher Schultz wrote: > > [...] > > It would allow anyone to force a logout of all current users at will just > > by making any request that causes an unauthenticated session to be created. > > > > Instant DOS. > > Note that current "maxActiveSessions" implementation also causes a DOS: if > you can create many sessions, it will block new users. Note that proposed "maxActiveSessions" implementation also causes a DOS: if you can create many sessions, it will block all users as they will get logged out almost instantly. It goes both ways ... Rémy > I must look at the application unauthenticated sessions: > - if they are already big, there is already a DOS via OutOfMemory > - if there are small, they would need to be handled specifically, > expiring them first > > In any case, as you suggested, the application should not depend on such big > sessions. That's the real solution to avoid any issues! > > cu > Pascal Rigaux. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
