Pascal,
On 1/9/25 7:31 AM, Pascal Rigaux wrote:
On 08/01/2025 22:13, Christopher Schultz wrote:
[...]
It would allow anyone to force a logout of all current users at will
just by making any request that causes an unauthenticated session to
be created.
Instant DOS.
Note that current "maxActiveSessions" implementation also causes a DOS:
if you can create many sessions, it will block new users.
Yes, but it will not log-out existing users, so it's less impactful.
I must look at the application unauthenticated sessions:
- if they are already big, there is already a DOS via OutOfMemory
- if there are small, they would need to be handled specifically,
expiring them first
In any case, as you suggested, the application should not depend on such
big sessions. That's the real solution to avoid any issues!
;)
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
