Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-875

"Maximum number of concurrent sessions allowed for a user" when MULTI_SERVER_MODE

    XMLWordPrintable

    Details

    • New Feature
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Snapshot9.5.2
    • 9.5.5, 10.0.0
    • None
    • All
    • Rank:
      1|hzn45r:

      Description

      If you running OpenAM in MULTI_SERVER_MODE (you have site configuration) it seems that you cannot use "Maximum number of concurrent sessions allowed for a user" limit if do not use Session Fail Over (SFO).

      Why this limitation to use session quota / user? SessionCount.getAllSessionsByUUID(String id) method implementation seems to even support session calculations from other member of sites.

      If you cannot limit easily session / user this is critical security issue. Some evil user/hacker could cause denial-of-service attack with one own or stolen user identity to OpenAM.

      Session limit / user configuration cannot be related to SFO. There should be at least lite way limit user sessions even per server.

        Attachments

          Activity

            People

            markdr Mark de Reeper
            jylkka jylkka
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: