(tomcat) branch main updated: Fix BZ 67793 - use correct session timeout after refresh during auth

Thu, 02 Nov 2023 04:04:38 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
     new fa72626740 Fix BZ 67793 - use correct session timeout after refresh 
during auth
fa72626740 is described below

commit fa726267408591245111f720352eef01ec8c1364
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Nov 2 11:04:19 2023 +0000

    Fix BZ 67793 - use correct session timeout after refresh during auth
    
    https://bz.apache.org/bugzilla/show_bug.cgi?id=67793
---
 java/org/apache/catalina/authenticator/FormAuthenticator.java | 8 ++++++++
 webapps/docs/changelog.xml                                    | 6 ++++++
 2 files changed, 14 insertions(+)

diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java 
b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 9dd5635ca8..f9cdc52618 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -711,12 +711,20 @@ public class FormAuthenticator extends AuthenticatorBase {
         saved.setRequestURI(request.getRequestURI());
         saved.setDecodedRequestURI(request.getDecodedRequestURI());
 
+        SavedRequest previousSavedRequest = (SavedRequest) 
session.getNote(Constants.FORM_REQUEST_NOTE);
         if (session.isNew()) {
             int originalMaxInactiveInterval = session.getMaxInactiveInterval();
             if (originalMaxInactiveInterval > 
getAuthenticationSessionTimeout()) {
                 
saved.setOriginalMaxInactiveInterval(originalMaxInactiveInterval);
                 
session.setMaxInactiveInterval(getAuthenticationSessionTimeout());
             }
+        } else if (previousSavedRequest != null && 
previousSavedRequest.getOriginalMaxInactiveInterval() > 0) {
+            /*
+             * The user may have refreshed the browser page during 
authentication. Transfer the original max inactive
+             * interval from previous saved request to current one else, once 
authentication is completed, the session
+             * will retain the the shorter authentication session timeout
+             */
+            
saved.setOriginalMaxInactiveInterval(previousSavedRequest.getOriginalMaxInactiveInterval());
         }
 
         // Stash the SavedRequest in our session for later use
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e1b965e700..bb5a18887f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -126,6 +126,12 @@
         support a broader range of environments, and to give better information
         in the event of a failure. (schultz)
       </update>
+      <fix>
+        <bug>67793</bug>: Ensure the original session timeout is restored after
+        FORM authentication if the user refreshes a page during the FORM
+        authentication process. Based on a suggestion by Mircea Butmalai.
+        (markt)
+      </fix>
       <update>
         <bug>67926</bug>: <code>PEMFile</code> prints unidentifiable string
         representation of ASN.1 OIDs. (michaelo)


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to