https://bz.apache.org/bugzilla/show_bug.cgi?id=67793
--- Comment #2 from Mircea Butmalai <mircea.butma...@radcom.ro> --- Hi Channa, Yes it is the same issue and the proposed code correction (or any equivalent form) actually solves your problem too. The proposed code correction actually preserves the added functionality documented as "Harden the FORM authentication process against DoS attacks" and solves the problem of honoring the session timeout configuration from web.xml. I am also waiting that proposed code correction (or any equivalent form) to reach all maintained branches of Tomcat (8.5.x, 9.0.x, 10.1.x and main = 11.x) that have this problem. Thanks, Mircea -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org