Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 2.3.15.Final, 2.2.34.Final
Affects Version/s: None
Component/s: Core, Servlet
Labels:
None

Git Pull Request:
https://github.com/undertow-io/undertow/pull/1635, https://github.com/undertow-io/undertow/pull/1636, https://github.com/undertow-io/undertow/pull/1637

If the FORM mechanism is used in conjunction with another, then the short session timeout from ~~UNDERTOW-2378~~ / UNDERTOW-2264 is still seen after login. This is because the FORM mech will set its short timeout through the challenge phase, but it is not guaranteed that ServletFormAuthenticationMechanism.authenticate will be called. The client may authenticate with one of the other available mechanisms, leaving the short session timeout.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

UNDERTOW-2418reproducer.tar.xz
22 kB
2024/06/27 1:57 PM

is caused by

UNDERTOW-2264 CVE-2023-1973 SessionImpl objects + location strings are created and not cleaned up on authentication failures

Reopened

is cloned by

JBEAP-27368 [GSS](7.4.z) UNDERTOW-2418 - Adjust properly session timeout also in case when FORM is combined with other mechanisms

Ready for QA

is incorporated by

JBEAP-27369 [GSS](8.0.z) UNDERTOW-2418 - Adjust properly session timeout also in case when FORM is combined with other mechanisms

Resolved

WFCORE-6900 CVE-2024-3653 CVE-2024-5971 Upgrade Undertow to 2.3.15.Final

Resolved

relates to

UNDERTOW-2409 Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used

Resolved

Assignee:: Flavia Rainone

Reporter:: Aaron Ogburn

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2024/06/27 1:52 PM

Updated:: 2024/08/14 9:00 AM

Resolved:: 2024/07/16 12:32 PM

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates