This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push: new fa72626740 Fix BZ 67793 - use correct session timeout after refresh during auth fa72626740 is described below commit fa726267408591245111f720352eef01ec8c1364 Author: Mark Thomas <ma...@apache.org> AuthorDate: Thu Nov 2 11:04:19 2023 +0000 Fix BZ 67793 - use correct session timeout after refresh during auth https://bz.apache.org/bugzilla/show_bug.cgi?id=67793 --- java/org/apache/catalina/authenticator/FormAuthenticator.java | 8 ++++++++ webapps/docs/changelog.xml | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java index 9dd5635ca8..f9cdc52618 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java @@ -711,12 +711,20 @@ public class FormAuthenticator extends AuthenticatorBase { saved.setRequestURI(request.getRequestURI()); saved.setDecodedRequestURI(request.getDecodedRequestURI()); + SavedRequest previousSavedRequest = (SavedRequest) session.getNote(Constants.FORM_REQUEST_NOTE); if (session.isNew()) { int originalMaxInactiveInterval = session.getMaxInactiveInterval(); if (originalMaxInactiveInterval > getAuthenticationSessionTimeout()) { saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval); session.setMaxInactiveInterval(getAuthenticationSessionTimeout()); } + } else if (previousSavedRequest != null && previousSavedRequest.getOriginalMaxInactiveInterval() > 0) { + /* + * The user may have refreshed the browser page during authentication. Transfer the original max inactive + * interval from previous saved request to current one else, once authentication is completed, the session + * will retain the the shorter authentication session timeout + */ + saved.setOriginalMaxInactiveInterval(previousSavedRequest.getOriginalMaxInactiveInterval()); } // Stash the SavedRequest in our session for later use diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index e1b965e700..bb5a18887f 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -126,6 +126,12 @@ support a broader range of environments, and to give better information in the event of a failure. (schultz) </update> + <fix> + <bug>67793</bug>: Ensure the original session timeout is restored after + FORM authentication if the user refreshes a page during the FORM + authentication process. Based on a suggestion by Mircea Butmalai. + (markt) + </fix> <update> <bug>67926</bug>: <code>PEMFile</code> prints unidentifiable string representation of ASN.1 OIDs. (michaelo) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org