Project

General

Profile

Bug #12581

Remove max concurrent session limit to avoid denial of services

Added by François ARMAND 7 months ago. Updated 6 months ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
User visibility:
Effort required:
Priority:
0

Description

In #12481 we corrected a bug that was not correctly couting session created in Jetty by Rudder. That correction implies that now, the number of concurrent sessions is limited to 2.

This number is ok when people use different user, but in a company where everybody use "admin", it will quickly become a limiting factor.
So we need to make that parameter configurable, and also make the auto-logout configurable.

=> by default, we will use 2 concurrent session with 1h auto-logout.


Related issues

Related to Rudder - Bug #12481: When logged > 3 times, oldest session is logged out but not immediatelyRejected

Associated revisions

Revision a2d9c4c3 (diff)
Added by François ARMAND 7 months ago

Fixes #12581: Allow to configure max concurrent session and session timeout

History

#1 Updated by François ARMAND 7 months ago

  • Related to Bug #12481: When logged > 3 times, oldest session is logged out but not immediately added

#2 Updated by François ARMAND 7 months ago

  • Status changed from New to In progress

#3 Updated by François ARMAND 7 months ago

  • Target version changed from 4.1.12 to 4.3.2

It need to only be done in 4.3 (before it was not limited).

#4 Updated by François ARMAND 7 months ago

In fact, Spring being what it is, it is unbelievabelly hard to configured it (given our version etc).

So I propose to just come back to previous behavior and disable it.

#5 Updated by François ARMAND 7 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Benoît PECCATTE
  • Pull Request set to https://github.com/Normation/rudder/pull/1928

#6 Updated by François ARMAND 7 months ago

  • Status changed from Pending technical review to Pending release

#7 Updated by François ARMAND 7 months ago

  • Subject changed from Allow to configure max concurrent session and session timeout to Remove max concurrent session limit to avoid denial of services

#8 Updated by Vincent MEMBRÉ 6 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 4.3.2 which was released today.

Also available in: Atom PDF