Bug #7498
allow a single Web client launch if the client presses ENTER key multiple times
0%
Related issues
History
#2 Updated by Constantin Asofiei 10 months ago
In the FWD Web client login page, if the FWD client presses the ENTER key multiple times, each keystroke will be posted to the FWD server; this in turn will try to launch a client for each case.
In #7479, a protection was added to allow the FWD server to 'self heal' if the FWD client fails to start completely; previously, a config resource (which includes the Web port for the FWD client jetty web server) remained 'in use' and never re-allocated, ending up in a 'no ports available' scenario.
The caveat with the changes in #7479 is this: it will take 30 seconds (or the watchdog timer value, whichever is higher) for the FWD server to 'self heal'. But, if a user spams the ENTER key in the Web client login form, there is nothing preventing a 'small denial-of-service' happening. I don't know how to protect against this.
This task is meant to add protection code on server-side, to allow only the first submit to go through.
#3 Updated by Constantin Asofiei 9 months ago
- Related to Bug #3304: Eliminate denial of service in virtual desktop mode added
#4 Updated by Galya B 6 months ago
With trunk r14783 (3931a merged) default login page has a 'Sign In' button, that gets disabled on the first click, until a response is returned. This is client-side protection and prevents unintentional DOS.
The server-side protection lies in the essence of SSO. If SSO is implemented and enabled, the client process launches only after the in-app user is authenticated, so the offender can be easily identified. Also SsoAuthenticator implementation can deny access if the customer decides to keep track of the frequency of sign-ins. It's in the hands of the customers to apply such DOS protection.