[Esapi-user] Change to session timeout functions in 2.0 and 1.4 branch

Jim Manico jim.manico at owasp.org
Tue Jun 15 18:06:03 EDT 2010


I fixed both session timeout functions for the DefaultUser in trunk and 
the 1.4 branch. We need to convert the configured value (which was in 
minutes) to miliseconds for the Date constructor.
*
ESAPI config setting in trunk*

# Session Timeouts (in minutes)
Authenticator.IdleTimeoutDuration=20 (implies minutes)
Authenticator.AbsoluteTimeoutDuration=120

*old function*

     public boolean isSessionAbsoluteTimeout() {
         HttpSession session = 
ESAPI.httpUtilities().getCurrentRequest().getSession(false);
         if ( session == null ) return true;
         Date deadline = new Date( session.getCreationTime() + 
ABSOLUTE_TIMEOUT_LENGTH);
         Date now = new Date();
         return now.after(deadline);
     }

*new function*

     public boolean isSessionAbsoluteTimeout() {
         HttpSession session = 
ESAPI.httpUtilities().getCurrentRequest().getSession(false);
         if ( session == null ) return true;
         Date deadline = new Date( session.getCreationTime() + (1000 * 
60 * 60 * ABSOLUTE_TIMEOUT_LENGTH));
         Date now = new Date();
         return now.after(deadline);
     }

This was a functionality bug, not a security bug since folks using this 
code would just timeout a lot earlier.

PS: I propose that we implement a "assertSessionNotTimedOut()" that does 
both idle and absolute timeout checking - and just logs the user out if 
the session is not active...

-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100615/7a117807/attachment.html 


More information about the Esapi-user mailing list