[OPENAM-875] "Maximum number of concurrent sessions allowed for a user" when MULTI_SERVER_MODE Created: 13/Oct/11 Updated: 21/Aug/12 Resolved: 09/Feb/12
|Component/s:||authentication, security, session|
|Fix Version/s:||9.5.5, 10.0.0|
|Reporter:||jylkka||Assignee:||Mark de Reeper|
|Σ Remaining Estimate:||Not Specified||Remaining Estimate:||Not Specified|
|Σ Time Spent:||Not Specified||Time Spent:||Not Specified|
|Σ Original Estimate:||Not Specified||Original Estimate:||Not Specified|
If you running OpenAM in MULTI_SERVER_MODE (you have site configuration) it seems that you cannot use "Maximum number of concurrent sessions allowed for a user" limit if do not use Session Fail Over (SFO).
Why this limitation to use session quota / user? SessionCount.getAllSessionsByUUID(String id) method implementation seems to even support session calculations from other member of sites.
If you cannot limit easily session / user this is critical security issue. Some evil user/hacker could cause denial-of-service attack with one own or stolen user identity to OpenAM.
Session limit / user configuration cannot be related to SFO. There should be at least lite way limit user sessions even per server.
|Comment by Peter Major [ 23/Oct/11 ]|
This is not a critical issue.
|Comment by Mark de Reeper [ 09/Feb/12 ]|
Fixed in R1667 and R1668.
Added a new property called openam.session.useLocalSessionsInMultiServerMode, that when set to true, will allow local session counting to be used to apply session quota's when running in Site mode without the use of the session failover components (known in the code as MULTI_SERVER_MODE). True session quotas across all server instances in Site mode still requires using the session failover components.