https://bz.apache.org/bugzilla/show_bug.cgi?id=69839
Bug ID: 69839
Summary: Changing SessionId creates eternal Single Sign On
sessions
Product: Tomcat 9
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
Created attachment 40111
--> https://bz.apache.org/bugzilla/attachment.cgi?id=40111&action=edit
Fix and test
The SingleSignon functionality is not aware of changing sessionIds. This means
that any sessionId change after session association will cause the SSO to live
for forever.
The SSO entry is supposed to expire upon expiration of the last context
session, this is handled by SingleSignOnListener via the destroySession event.
Unfortunately SingleSignOnSessionKey is used to identify the expired session,
and the SingleSignOnSessionKey.sessionId is immutable. So the destroySession
event will not have any effect.
The problem is present in 9.x to 11.x
I have attached a patch that adds a changeSessionId event, so that
SingleSignOnListener may perform the required updates.
The test case is borrowing code from the other SSO tests.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
