tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 29956] New: - Incorrect handling of negative timeout in SingleSignOn.sessionEvent()
Date Wed, 07 Jul 2004 18:02:29 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=29956>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=29956

Incorrect handling of negative timeout in SingleSignOn.sessionEvent()

           Summary: Incorrect handling of negative timeout in
                    SingleSignOn.sessionEvent()
           Product: Tomcat 4
           Version: 4.1.30
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: sclark@detox.tat.fws.gov


When SingleSignOn.sessionEvent() is handling a destroyed session, it checks
whether the session is expiring because it timed out or because it was
explicitly logged out.  This check fails to account for the negative timeout
case.  To fix, at line 387, replace:

        if (System.currentTimeMillis() - session.getLastAccessedTime() >=
                session.getMaxInactiveInterval() * 1000) {            

with

        if ((session.getMaxInactiveInterval() > 0) &&
            (System.currentTimeMillis() - session.getLastAccessedTime() >=
                session.getMaxInactiveInterval() * 1000) {

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message