-
Bug
-
Resolution: Done
-
Critical
-
7.4.17.GA
-
None
-
False
-
None
-
False
-
-
-
-
-
-
+
-
-
If the FORM mechanism is used in conjunction with another, then the short session timeout from UNDERTOW-2378 / UNDERTOW-2264 is still seen after login. This is because the FORM mech will set its short timeout through the challenge phase, but it is not guaranteed that ServletFormAuthenticationMechanism.authenticate will be called. The client may authenticate with one of the other available mechanisms, leaving the short session timeout.
- clones
-
UNDERTOW-2418 Adjust properly session timeout also in case when FORM is combined with other mechanisms
- Closed
- is caused by
-
UNDERTOW-2264 CVE-2023-1973 SessionImpl objects + location strings are created and not cleaned up on authentication failures
- Reopened
- is cloned by
-
JBEAP-27369 [GSS](8.0.z) UNDERTOW-2418 - Adjust properly session timeout also in case when FORM is combined with other mechanisms
- Verified
- is incorporated by
-
JBEAP-27357 (7.4.z) Upgrade undertow from 2.2.33.SP1-redhat-00001 to 2.2.35.SP1
- Closed
- relates to
-
UNDERTOW-2409 Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used
- Resolved
-
JBEAP-26990 [GSS](7.4.z) UNDERTOW-2409 / UNDERTOW-2378 - Adjust properly session timeout also in case when custom auth mechanisms are used
- Closed