add optional nonce to permit distinguishing multiple simultaneous auth using the same username
Bug #1348731 reported by
Galen Charlton
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Evergreen |
Fix Released
|
Medium
|
Unassigned | ||
| 2.5 |
Fix Released
|
Undecided
|
Unassigned | ||
| 2.6 |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
If multiple login attempts are made using the same username within a
very short period of time, a race condition exists where, upon
completion of the first login, the auth init cache data for any pending
logins are removed, since there can only be one instance of cached init
data per username.
This has been observed with the SIP2 gateway when multiple devices have
been configured to use the same account. Consequences include:
- failed logins
- incrementing of the failed login counter, which can ultimately lock out
all of the devices that use a given username to authenticate
In principle, the race condition could also affect public web services that
do authentication as part of initialization.
Evergreen master
| Changed in evergreen: | |
| importance: | Undecided → Medium |
Revision history for this message
| Galen Charlton (gmc) wrote | #1 |
| tags: | added: pullrequest |
| Changed in evergreen: | |
| milestone: | none → 2.7.0-beta1 |
Revision history for this message
| Mike Rylander (mrylander) wrote | #2 |
| Changed in evergreen: | |
| status: | New → Fix Committed |
| Changed in evergreen: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
Two patches to add support for a login nonce and make the SIP gateway use it are available at the tip of the user/gmcharlt/
http://