Ok, in a way the problem is "solved", as I apparently was trying to achieve something that goes against the implemented behaivour.
On the default page of the site I put a login form as descibed in the Servlet spec. I then specified the default page to be the login page and listed all other pages on the site(Except access denied page) as protected. The behaviour that I expected was: 1) If a user visits the site he has the option to log in. 2) If he returns to the site via an old link/favourite, the default page will be shown for him to log in. As I understand it now, this setup cannot be achieved using form authentication. In my mind that makes form authentication completely useless. Hopefully I got it all wrong, and there is a way to achieve my goal. "Mark Thomas" <[EMAIL PROTECTED]> skrev i en meddelelse news:[EMAIL PROTECTED] > hv @ Fashion Content wrote: >> So what if my login page does NOT create a session and the user browses >> to the login page and then enters credentials ? > > Tomcat will create one if it does not exist. > > I recognise the text "The time allowed for the login process has been > exceeded. If you wish to continue you must either click back twice and > re-click the link you requested or close and re-open your browser" as > something I wrote so I am pretty sure this is coming from Tomcat. The > message is generated when the session is invalid. This was only seen as > the result of a time-out but could also be as a result of other session > problems. > > Using a tool like ieHttpHeaders (IE), Live HTTP Headers (Firefox) or > TcpMon (from Apache Axis) should help you figure out what is going on. > > Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]