Well the issue is that if user enters CORRECT credentials AFTER Tomcat restart he sees Error 400/408
On Thu, May 28, 2015 at 12:29 PM, Mark Thomas <ma...@apache.org> wrote: > On 28/05/2015 10:22, Leonid Rozenblyum wrote: >> Hello experts. >> >> We are using FormAuthenticator and face a following issue: >> >> 1) Session persistence is disabled >> 2) User is on login page >> 3) Restart Tomcat >> 4) User tries authentication >> >> He receives error 400 or 408. >> >> While digging deeper we discovered that in this case Tomcat validates >> session id and if it's old/invalid - prevents logging-in even though >> valid credentials are passed. >> >> We tried landingPage solution - it looks better than error 400/408 but >> anyway it forces user to enter credentials twice (or we don't know how >> to pass credentials to landingPage implicitly). >> >> We think that an improvement of user experience would be : >> >> FormAuthenticator: 255 >> if (session == null) { >> session = request.getSessionInternal(false); >> } >> >> ==> >> if (session == null) { >> session = request.getSessionInternal(true); >> } >> >> So if session is invalid or missing - simply create it. >> >> Does this idea make sense? > > No. It makes no sense at all. > >> Can we achieve the goal of not forcing user entering credentials twice >> without changes in Tomcat ? > > No. The credentials are stored in the session. If you restart Tomcat > with session persistence disabled those credentials are lost and the > user is going to have to re-enter them. > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org