Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-875

"Maximum number of concurrent sessions allowed for a user" when MULTI_SERVER_MODE

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Snapshot9.5.2
    • Fix Version/s: 9.5.5, 10.0.0
    • Labels:
      None
    • Environment:
      All

      Description

      If you running OpenAM in MULTI_SERVER_MODE (you have site configuration) it seems that you cannot use "Maximum number of concurrent sessions allowed for a user" limit if do not use Session Fail Over (SFO).

      Why this limitation to use session quota / user? SessionCount.getAllSessionsByUUID(String id) method implementation seems to even support session calculations from other member of sites.

      If you cannot limit easily session / user this is critical security issue. Some evil user/hacker could cause denial-of-service attack with one own or stolen user identity to OpenAM.

      Session limit / user configuration cannot be related to SFO. There should be at least lite way limit user sessions even per server.

        Attachments

          Activity

            People

            • Assignee:
              markdr Mark de Reeper
              Reporter:
              jylkka Tuomo JylkkÀ
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: