Bug 40473

GemStone/S 64 Bit

2.4.2, 2.4.1, 2.4,, 2.3.1, 2.3,,,,, 2.2.5, 2.2.x, 2.2, 2.1.4, 2.1.x, 2.1, 2.0.x, 2.0


Simultaneous logins by the same userId can result in disabled account

If two logins for the same userId occur within the same clock second, a
logic error in the code compares the password age, rather than the time
since last login, to the staleAccountAgeLimit. So, if the time since the
last password change is longer than the staleAccountAgeLimit, the account's
login may be disabled with the reason "StaleAccount".

This bug requires a passwordAgeLimit that is larger than the staleAccountAgeLimit,
as well as near-simultaneous logins by a single userid, and so is rare
in practice.


Setting a passwordAgeLimit that is smaller than the staleAccountAgeLimit
will avoid the problem. Or, manually resetting the password (to the same
password, if that is allowed by the security configuration), will reset
the password change date.

Last updated: 4/28/10