TIdHttpServer and Socket Timeout

Question

I have an application using TIdHttpServer. How can I set a timeout for sockets that are slow at writing messages?

A recent security scan of my application revealed some vulnerabilities regarding connected clients to the webserver. The main vulnerability was that clients sending slow requests to the server were not dropped. In an attempt to fix this, I added ReadTimeout to the client connections in the server's OnConnect event.

procedure TForm1.IdHTTPServer1Connect(AContext: TIdContext);
begin
  AContext.Connection.Socket.ReadTimeout := 15000;
end;

After adding this change a newer security scan revealed that the server resets the timeout after accepting a packet from the client. To solve this issue, I am trying to come up with a way to establish a write timeout for the sockets, rather than the ReadTimeout shown. In other words, I don't want a socket writing data to refresh the timeout that controls the connection from being dropped. Can this be done?

Answer 1

The ReadTimeout applies on each attempt to read bytes from the connection. Each read uses the full timeout. Think of it as a per-byte timeout.

There is currently no per-request timeout in TIdHTTPServer to limit the amount of time it is allowed to read a complete HTTP request.

To get something like that, try this:

• set the server's KeepAlive property to False to disallow multiple HTTP requests per TCP connection (TIdHTTPServer does not have an event to indicate when a new HTTP request begins).

• in the server's OnConnect event, set the ReadTimeout for how long you want to wait for the HTTP request to begin, and start a timer for the total timeout desired for the entire request.

• in the server's OnCommand... and OnDisconnect events, stop the timer if it is running.

• if the timer elapses, close the socket connection.