[Esapi-user] Change to session timeout functions in 2.0 and 1.4 branch
Jim Manico
jim.manico at owasp.org
Tue Jun 15 18:06:03 EDT 2010
I fixed both session timeout functions for the DefaultUser in trunk and
the 1.4 branch. We need to convert the configured value (which was in
minutes) to miliseconds for the Date constructor.
*
ESAPI config setting in trunk*
# Session Timeouts (in minutes)
Authenticator.IdleTimeoutDuration=20 (implies minutes)
Authenticator.AbsoluteTimeoutDuration=120
*old function*
public boolean isSessionAbsoluteTimeout() {
HttpSession session =
ESAPI.httpUtilities().getCurrentRequest().getSession(false);
if ( session == null ) return true;
Date deadline = new Date( session.getCreationTime() +
ABSOLUTE_TIMEOUT_LENGTH);
Date now = new Date();
return now.after(deadline);
}
*new function*
public boolean isSessionAbsoluteTimeout() {
HttpSession session =
ESAPI.httpUtilities().getCurrentRequest().getSession(false);
if ( session == null ) return true;
Date deadline = new Date( session.getCreationTime() + (1000 *
60 * 60 * ABSOLUTE_TIMEOUT_LENGTH));
Date now = new Date();
return now.after(deadline);
}
This was a functionality bug, not a security bug since folks using this
code would just timeout a lot earlier.
PS: I propose that we implement a "assertSessionNotTimedOut()" that does
both idle and absolute timeout checking - and just logs the user out if
the session is not active...
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100615/7a117807/attachment.html
More information about the Esapi-user
mailing list