[OPENAM-4413] Agent sessions are affected by active session quotas when com.iplanet.am.session.agentSessionIdleTime is used Created: 01/Sep/14 Updated: 20/Nov/16 Resolved: 11/Dec/14 |
|
| Status: | Resolved |
| Project: | OpenAM |
| Component/s: | authentication, session |
| Affects Version/s: | 10.0.0, 11.0.0 |
| Fix Version/s: | 10.0.3, 11.0.3, 12.0.1, 13.0.0 |
| Type: | Bug | Priority: | Major |
| Reporter: | Ian Packer [X] (Inactive) | Assignee: | Peter Major [X] (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | release-notes | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
openam-4413-diff.txt
|
||||||||||||
| Issue Links: |
|
||||||||||||
| Support Ticket IDs: | |||||||||||||
| Description |
|
If advanced server property 'com.iplanet.am.session.agentSessionIdleTime' is set to something other than 0 (i.e agent sessions will get timed out), OpenAM begins enforcing active session quotas on the agent users. "2014-08-23 09:25:56" "Maximum Sessions Limit Reached.|module_instance|Application" id=WebAgent,ou=agent,dc=openam,dc=forgerock,dc=org "Not Available" 192.168.56.3 INFO dc=openam,dc=forgerock,dc=org "cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org" AUTHENTICATION-268 Application "Not Available" 192.168.56.3 To reproduce:
|
| Comments |
| Comment by Jari Ahonen [ 03/Sep/14 ] |
|
Attached is a patch that fixes this bug. I'm not sure about the reasoning behind treating all expiring sessions as user sessions in InternalSession.isAppSession() but flagging all sessions as user sessions in LoginState.setSessionProperties() is clearly not right. |
| Comment by Peter Major [X] (Inactive) [ 03/Sep/14 ] |
|
Jari, the issue with LoginState is tracked under |
| Comment by Jari Ahonen [ 03/Sep/14 ] |
|
Thanks Peter, looks like the proposed fix in that one is exactly the same as what I came up with.
|
| Comment by Peter Major [X] (Inactive) [ 09/Dec/14 ] |
|
After looking at this a bit further, this issue will also result in enforcing the maximum session limit when the com.iplanet.am.session.agentSessionIdleTime setting is enabled. To test this, simply authenticate 5001 times using module=Application. |
| Comment by Peter Major [X] (Inactive) [ 09/Dec/14 ] |
|
Jari Ahonen had a look at the logic, and there is no immediate reason to check for the willExpireFlag as well, since it looks like setType(Session.APPLICATION_SESSION) and setExpire(false) is always called together. |
| Comment by Jari Ahonen [ 10/Dec/14 ] |
|
Hi, I have used the patch I attached earlier to get around this problem. It seems to work fine but it has one side-effect: The active session counts reported in the statistics seem to go wrong (the active session counts in amMasterSessionTableStats are (much) lower than what you see in admin console). No idea why this happens, I tried to track it down but lost interest as finding the problem seemed complicated and it wasn't that important for me. |
| Comment by Peter Major [X] (Inactive) [ 11/Dec/14 ] |
|
Fixed with R11787 R11788 and R11789 |
| Comment by Peter Major [X] (Inactive) [ 28/Jan/15 ] |
|
Backported with R12241 |