Details
-
Bug
-
Resolution: Fixed
-
Low
-
None
-
None
Description
CrowdHttpAuthenticatorImpl.isAuthenticated should only check the session after sessionValidationInterval. However, it makes an unconditional check that the request has a Crowd token cookie present. The check ignores the fix in CWD-2326 to use the remotely-configured cookie name, which means it doesn't cause a performance problem. However, in the case of a token name mismatch, it could cause a user to wrongly be reported as unauthenticated.
Move the check after the validation time check and use getCookieTokenKey().