On 28/05/2015 10:22, Leonid Rozenblyum wrote:
> Hello experts.
>
> We are using FormAuthenticator and face a following issue:
>
> 1) Session persistence is disabled
> 2) User is on login page
> 3) Restart Tomcat
> 4) User tries authentication
>
> He receives error 400 or 408.
>
> While digging deeper we discovered that in this case Tomcat validates
> session id and if it's old/invalid - prevents logging-in even though
> valid credentials are passed.
>
> We tried landingPage solution - it looks better than error 400/408 but
> anyway it forces user to enter credentials twice (or we don't know how
> to pass credentials to landingPage implicitly).
>
> We think that an improvement of user experience would be :
>
> FormAuthenticator: 255
> if (session == null) {
> session = request.getSessionInternal(false);
> }
>
> ==>
> if (session == null) {
> session = request.getSessionInternal(true);
> }
>
> So if session is invalid or missing - simply create it.
>
> Does this idea make sense?
No. It makes no sense at all.
> Can we achieve the goal of not forcing user entering credentials twice
> without changes in Tomcat ?
No. The credentials are stored in the session. If you restart Tomcat
with session persistence disabled those credentials are lost and the
user is going to have to re-enter them.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
