[CVE-2022-37186] Session destroyed on portal but still valid on handlers while there is activity
Concerned version
Version: %2.0.13
Platform: Apache
Summary
I have activated "One session per user" option. If I log in a second time with the same account, the 1st session is well destroyed on portal, but on handler, the session is still valid even after the cache expiration (600s). Session expires on handler only after 600s of inactivity (no request), while it should expire after 600s (with or without activity)
Logs
When query is accepted by handler (just after the session was destroyed on session backend):
[Fri May 13 13:49:22.382959 2022] [perl:debug] [pid 21187] Apache2.pm(14): Get session 6e29421e589869bc4124bc05aa62bdb20da615f2be290a6e48 from Handler::Main::Run
[Fri May 13 13:49:22.383085 2022] [perl:debug] [pid 21187] Apache2.pm(14): Check session validity from Handler
[Fri May 13 13:49:22.383184 2022] [perl:debug] [pid 21187] Apache2.pm(14): Session timeout -> 72000
[Fri May 13 13:49:22.383288 2022] [perl:debug] [pid 21187] Apache2.pm(14): Session timeoutActivity -> 900s
[Fri May 13 13:49:22.383380 2022] [perl:debug] [pid 21187] Apache2.pm(14): Session _utime -> 1652449119
[Fri May 13 13:49:22.383465 2022] [perl:debug] [pid 21187] Apache2.pm(14): now -> 1652449762
[Fri May 13 13:49:22.383551 2022] [perl:debug] [pid 21187] Apache2.pm(14): _lastSeen -> 1652449119
[Fri May 13 13:49:22.383638 2022] [perl:debug] [pid 21187] Apache2.pm(14): now - _lastSeen = 643
[Fri May 13 13:49:22.383732 2022] [perl:debug] [pid 21187] Apache2.pm(14): Session timeoutActivityInterval -> 250
[Fri May 13 13:49:22.383822 2022] [perl:debug] [pid 21187] Apache2.pm(14): Session TTL = 71357
[Fri May 13 13:49:22.407127 2022] [perl:debug] [pid 21187] Apache2.pm(14): Update _lastSeen with 1652449762
[Fri May 13 13:49:22.407431 2022] [perl:debug] [pid 21187] Apache2.pm(14): No URL authentication level found...
[Fri May 13 13:49:22.407566 2022] [perl:debug] [pid 21187] Apache2.pm(14): api-mediation.dev.flexiblecontactcenter.orange-business.com: Apply default rule
After 600 seconds of inactivity:
[Fri May 13 14:16:08.247736 2022] [perl:info] [pid 21397] Session 6e29421e589869bc4124bc05aa62bdb20da615f2be290a6e48 can't be retrieved
[Fri May 13 14:16:08.247859 2022] [perl:info] [pid 21397] Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/vendor_perl/Apache/Session/Store/DBI.pm line 93.\n
Backends used
I have the following settings:
- Session timeout: 72000
- Sessions activity timeout: 900
- Sessions update interval: 250
- Sessions Storage / cache module options / default_expires_in: 600
Possible fixes
Edited by Maxime Besson