Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Minor
Fix Version/s: 8.0 Update 5, 8.0 Update 1.5.0-dev-1
Affects Version/s: 8.0 Update 2
Component/s: Undertow
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

8.0.z.GA
Git Pull Request:
https://github.com/undertow-io/undertow/pull/1637
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

If the FORM mechanism is used in conjunction with another, then the short session timeout from ~~UNDERTOW-2378~~ / UNDERTOW-2264 is still seen after login. This is because the FORM mech will set its short timeout through the challenge phase, but it is not guaranteed that ServletFormAuthenticationMechanism.authenticate will be called. The client may authenticate with one of the other available mechanisms, leaving the short session timeout.

clones

JBEAP-27368 [GSS](7.4.z) UNDERTOW-2418 - Adjust properly session timeout also in case when FORM is combined with other mechanisms

Ready for QA

incorporates

UNDERTOW-2418 Adjust properly session timeout also in case when FORM is combined with other mechanisms

Closed

is caused by

UNDERTOW-2264 CVE-2023-1973 SessionImpl objects + location strings are created and not cleaned up on authentication failures

Reopened

is incorporated by

JBEAP-28046 (8.0.z) Upgrade Undertow from 2.3.14.SP2-redhat-00001 to 2.3.18.SP1-redhat-00001

Resolved

relates to

UNDERTOW-2409 Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used

Resolved

Assignee:: Flavia Rainone

Reporter:: Aaron Ogburn

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/06/27 2:07 PM

Updated:: 2024/10/29 3:23 PM

Resolved:: 2024/10/25 10:41 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates