-
Bug
-
Resolution: Done
-
Critical
-
None
-
None
If the FORM mechanism is used in conjunction with another, then the short session timeout from UNDERTOW-2378 / UNDERTOW-2264 is still seen after login. This is because the FORM mech will set its short timeout through the challenge phase, but it is not guaranteed that ServletFormAuthenticationMechanism.authenticate will be called. The client may authenticate with one of the other available mechanisms, leaving the short session timeout.
- is caused by
-
UNDERTOW-2264 CVE-2023-1973 SessionImpl objects + location strings are created and not cleaned up on authentication failures
- Reopened
- is cloned by
-
JBEAP-27368 [GSS](7.4.z) UNDERTOW-2418 - Adjust properly session timeout also in case when FORM is combined with other mechanisms
- Ready for QA
- is incorporated by
-
JBEAP-27369 [GSS](8.0.z) UNDERTOW-2418 - Adjust properly session timeout also in case when FORM is combined with other mechanisms
- Resolved
-
WFCORE-6900 CVE-2024-3653 CVE-2024-5971 Upgrade Undertow to 2.3.15.Final
- Resolved
- relates to
-
UNDERTOW-2409 Adjust properly session timeout also in case when GET requests with custom auth mechanisms are used
- Resolved