This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new fa72626740 Fix BZ 67793 - use correct session timeout after refresh
during auth
fa72626740 is described below
commit fa726267408591245111f720352eef01ec8c1364
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Nov 2 11:04:19 2023 +0000
Fix BZ 67793 - use correct session timeout after refresh during auth
https://bz.apache.org/bugzilla/show_bug.cgi?id=67793
---
java/org/apache/catalina/authenticator/FormAuthenticator.java | 8 ++++++++
webapps/docs/changelog.xml | 6 ++++++
2 files changed, 14 insertions(+)
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java
b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 9dd5635ca8..f9cdc52618 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -711,12 +711,20 @@ public class FormAuthenticator extends AuthenticatorBase {
saved.setRequestURI(request.getRequestURI());
saved.setDecodedRequestURI(request.getDecodedRequestURI());
+ SavedRequest previousSavedRequest = (SavedRequest)
session.getNote(Constants.FORM_REQUEST_NOTE);
if (session.isNew()) {
int originalMaxInactiveInterval = session.getMaxInactiveInterval();
if (originalMaxInactiveInterval >
getAuthenticationSessionTimeout()) {
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
}
+ } else if (previousSavedRequest != null &&
previousSavedRequest.getOriginalMaxInactiveInterval() > 0) {
+ /*
+ * The user may have refreshed the browser page during
authentication. Transfer the original max inactive
+ * interval from previous saved request to current one else, once
authentication is completed, the session
+ * will retain the the shorter authentication session timeout
+ */
+
saved.setOriginalMaxInactiveInterval(previousSavedRequest.getOriginalMaxInactiveInterval());
}
// Stash the SavedRequest in our session for later use
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e1b965e700..bb5a18887f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -126,6 +126,12 @@
support a broader range of environments, and to give better information
in the event of a failure. (schultz)
</update>
+ <fix>
+ <bug>67793</bug>: Ensure the original session timeout is restored after
+ FORM authentication if the user refreshes a page during the FORM
+ authentication process. Based on a suggestion by Mircea Butmalai.
+ (markt)
+ </fix>
<update>
<bug>67926</bug>: <code>PEMFile</code> prints unidentifiable string
representation of ASN.1 OIDs. (michaelo)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
