I'm trying to get 3.3 M2 URL Session rewriting to work. My server.xml includes: <SessionId cookiesFirst="false" noCookies="false" /> My web.xml includes: <login-config> <auth-method>FORM</auth-method> <realm-name>SOMEREALM</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login.jsp</form-error-page> </form-login-config> </login-config> My login form looks like: <FORM name='loginForm' method="POST" action='<%= response.encodeURL("j_security_check")%>'> <input TYPE="text" NAME="j_username" SIZE=20 MAXLENGTH=40 tabindex=1> <INPUT TYPE="password" NAME="j_password" SIZE=20 tabindex=2> </FORM> Here is the behavior I'm seeing: 1) with cookies turned on for my browser, I get a "Basic" Auth popup request for authentication. I don't really understand why I am getting this, since I've specifically indicated FORM as my auth-method 2) When I turn on cookies on my browser, and change SessionID on server.xml to: <SessionId cookiesFirst="true" noCookies="false" /> I get a form page and authentication works fine. I'm wondering if anyone has URL Session rewriting with auth FORM working? If so, is there any experiences you can offer to help me out with getting URL session rewriting to work. -Tom