Project

General

Profile

Actions

Bug #12581

closed

Remove max concurrent session limit to avoid denial of services

Added by François ARMAND almost 3 years ago. Updated almost 3 years ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
User visibility:
Effort required:
Priority:
0

Description

In #12481 we corrected a bug that was not correctly couting session created in Jetty by Rudder. That correction implies that now, the number of concurrent sessions is limited to 2.

This number is ok when people use different user, but in a company where everybody use "admin", it will quickly become a limiting factor.
So we need to make that parameter configurable, and also make the auto-logout configurable.

=> by default, we will use 2 concurrent session with 1h auto-logout.


Related issues

Related to Rudder - Bug #12481: When logged > 3 times, oldest session is logged out but not immediatelyRejectedActions
Actions #1

Updated by François ARMAND almost 3 years ago

  • Related to Bug #12481: When logged > 3 times, oldest session is logged out but not immediately added
Actions #2

Updated by François ARMAND almost 3 years ago

  • Status changed from New to In progress
Actions #3

Updated by François ARMAND almost 3 years ago

  • Target version changed from 4.1.12 to 4.3.2

It need to only be done in 4.3 (before it was not limited).

Actions #4

Updated by François ARMAND almost 3 years ago

In fact, Spring being what it is, it is unbelievabelly hard to configured it (given our version etc).

So I propose to just come back to previous behavior and disable it.

Actions #5

Updated by François ARMAND almost 3 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder/pull/1928
Actions #6

Updated by François ARMAND almost 3 years ago

  • Status changed from Pending technical review to Pending release
Actions #7

Updated by François ARMAND almost 3 years ago

  • Subject changed from Allow to configure max concurrent session and session timeout to Remove max concurrent session limit to avoid denial of services
Actions #8

Updated by Vincent MEMBRÉ almost 3 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 4.3.2 which was released today.

Actions

Also available in: Atom PDF