Bug #12581
closed
Remove max concurrent session limit to avoid denial of services
Added by François ARMAND almost 6 years ago.
Updated almost 6 years ago.
Description
In #12481 we corrected a bug that was not correctly couting session created in Jetty by Rudder. That correction implies that now, the number of concurrent sessions is limited to 2.
This number is ok when people use different user, but in a company where everybody use "admin", it will quickly become a limiting factor.
So we need to make that parameter configurable, and also make the auto-logout configurable.
=> by default, we will use 2 concurrent session with 1h auto-logout.
- Related to Bug #12481: When logged > 3 times, oldest session is logged out but not immediately added
- Status changed from New to In progress
- Target version changed from 4.1.12 to 4.3.2
It need to only be done in 4.3 (before it was not limited).
In fact, Spring being what it is, it is unbelievabelly hard to configured it (given our version etc).
So I propose to just come back to previous behavior and disable it.
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder/pull/1928
- Status changed from Pending technical review to Pending release
- Subject changed from Allow to configure max concurrent session and session timeout to Remove max concurrent session limit to avoid denial of services
- Status changed from Pending release to Released
This bug has been fixed in Rudder 4.3.2 which was released today.
Also available in: Atom
PDF
Updated by 
Updated by