Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow session idle timeout to be configured on authentication. #10511

Merged
merged 3 commits into from
Sep 18, 2023

Conversation

gregw
Copy link
Contributor

@gregw gregw commented Sep 13, 2023

Allow session idle timeout to be configured on authentication.

Allow session idle timeout to be configured on authentication.

Signed-off-by: gregw <[email protected]>
Copy link
Contributor

@janbartel janbartel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to allow users to be able to set authenticated sessions as immortal.

@@ -68,7 +68,8 @@ public abstract class SecurityHandler extends HandlerWrapper implements Authenti
private final Map<String, String> _initParameters = new HashMap<>();
private LoginService _loginService;
private IdentityService _identityService;
private boolean _renewSession = true;
private boolean _renewSessionOnAuthentication = true;
private int _sessionMaxInactiveIntervalOnAuthentication = 0;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think a default of 0 is a good idea. If it is not set, then sessions that were previously configured - either programmatically or via web.xml - to timeout after x minutes are suddenly immortal after authentication.

Ooops, commented too soon. Now I've read the LoginAuthenticator code and it's the other way around: you can't cause sessions to become immortal after being authenticated. Immortality is indicated by a timeout <= 0, but you're only setting the maxInactiveInterval iff it's > 0.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated so that non-zero values are set on authentication, so we can now make a session immortal on authentication with a value of -1.

Signed-off-by: gregw <[email protected]>
janbartel
janbartel previously approved these changes Sep 15, 2023
Copy link
Contributor

@janbartel janbartel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But delete the commented out lines of code, and maybe consider consistent naming of the fields as per my comments. Extra combination of test cases would be good, but (hopefully) not critical :)

Signed-off-by: gregw <[email protected]>
@gregw gregw merged commit 3c76f82 into jetty-10.0.x Sep 18, 2023
2 checks passed
@gregw gregw deleted the fix/jetty-10/unauthenticatedMaxIdle branch September 18, 2023 05:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants