Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 8.0 Update 5
Affects Version/s: 8.0 Update 2
Component/s: Undertow
Labels:
- needs-backport

Blocked:
False
Blocked Reason:
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

8.0.z.GA
Workaround:

Workaround Exists
Workaround Description:

Hide

Use POST in a FORM login page, not GET

Show
Use POST in a FORM login page, not GET
Git Pull Request:
https://github.com/undertow-io/undertow/pull/1608, https://github.com/undertow-io/undertow/pull/1585
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

If a FORM login page happens to use GET instead of the typical POST to send the login credentials to a custom location, then the short session timeout from ~~UNDERTOW-2378~~ / UNDERTOW-2264 is still seen after login.

clones

UNDERTOW-2409 Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used

Resolved

is caused by

UNDERTOW-2264 CVE-2023-1973 SessionImpl objects + location strings are created and not cleaned up on authentication failures

Reopened

is incorporated by

JBEAP-26990 [GSS](7.4.z) UNDERTOW-2409 / UNDERTOW-2378 - Adjust properly session timeout also in case when custom auth mechanisms are used

Closed

Assignee:: Ilia Vassilev

Reporter:: Aaron Ogburn

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/06/18 8:10 PM

Updated:: 2024/10/15 8:20 PM

Resolved:: 2024/10/15 8:16 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates