[OPENAM-875] "Maximum number of concurrent sessions allowed for a user" when MULTI_SERVER_MODE Created: 13/Oct/11  Updated: 21/Aug/12  Resolved: 09/Feb/12

Status: Closed
Project: OpenAM
Component/s: authentication, security, session
Affects Version/s: Snapshot9.5.2
Fix Version/s: 9.5.5, 10.0.0

Type: New Feature Priority: Major
Reporter: jylkka Assignee: Mark de Reeper
Resolution: Fixed Votes: 0
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified
Environment:

All


Sub-Tasks:
Key
Summary
Type
Status
Assignee
OPENAM-1032 Add details to the release notes and ... Sub-task Closed Mark Craig  

 Description   

If you running OpenAM in MULTI_SERVER_MODE (you have site configuration) it seems that you cannot use "Maximum number of concurrent sessions allowed for a user" limit if do not use Session Fail Over (SFO).

Why this limitation to use session quota / user? SessionCount.getAllSessionsByUUID(String id) method implementation seems to even support session calculations from other member of sites.

If you cannot limit easily session / user this is critical security issue. Some evil user/hacker could cause denial-of-service attack with one own or stolen user identity to OpenAM.

Session limit / user configuration cannot be related to SFO. There should be at least lite way limit user sessions even per server.



 Comments   
Comment by Peter Major [ 23/Oct/11 ]

This is not a critical issue.
Although the servers can access others to collect all the sessions, it just kills performance. Having per-server session limit looks a valid RFE to me.

Comment by Mark de Reeper [ 09/Feb/12 ]

Fixed in R1667 and R1668.

Added a new property called openam.session.useLocalSessionsInMultiServerMode, that when set to true, will allow local session counting to be used to apply session quota's when running in Site mode without the use of the session failover components (known in the code as MULTI_SERVER_MODE). True session quotas across all server instances in Site mode still requires using the session failover components.

Generated at Tue Mar 31 18:58:03 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.