Well the issue is that if user enters CORRECT credentials AFTER Tomcat restart
he sees Error 400/408
On Thu, May 28, 2015 at 12:29 PM, Mark Thomas <ma...@apache.org> wrote:
> On 28/05/2015 10:22, Leonid Rozenblyum wrote:
>> Hello experts.
>>
>> We are using FormAuthenticator and face a following issue:
>>
>> 1) Session persistence is disabled
>> 2) User is on login page
>> 3) Restart Tomcat
>> 4) User tries authentication
>>
>> He receives error 400 or 408.
>>
>> While digging deeper we discovered that in this case Tomcat validates
>> session id and if it's old/invalid - prevents logging-in even though
>> valid credentials are passed.
>>
>> We tried landingPage solution - it looks better than error 400/408 but
>> anyway it forces user to enter credentials twice (or we don't know how
>> to pass credentials to landingPage implicitly).
>>
>> We think that an improvement of user experience would be :
>>
>> FormAuthenticator: 255
>> if (session == null) {
>> session = request.getSessionInternal(false);
>> }
>>
>> ==>
>> if (session == null) {
>> session = request.getSessionInternal(true);
>> }
>>
>> So if session is invalid or missing - simply create it.
>>
>> Does this idea make sense?
>
> No. It makes no sense at all.
>
>> Can we achieve the goal of not forcing user entering credentials twice
>> without changes in Tomcat ?
>
> No. The credentials are stored in the session. If you restart Tomcat
> with session persistence disabled those credentials are lost and the
> user is going to have to re-enter them.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
