Re: FormAuthenticator, Tomcat restart

Thu, 28 May 2015 02:47:57 -0700 

The reason is :
After Tomcat restart, and logging-in browser provides an old session
id to server.

FormAuthenticator treats it as an issue, and either sends error or landing page.

On Thu, May 28, 2015 at 12:30 PM, Leonid Rozenblyum
<lrozenbl...@gmail.com> wrote:
> Well the issue is that if user enters CORRECT credentials AFTER Tomcat restart
> he sees Error 400/408
>
> On Thu, May 28, 2015 at 12:29 PM, Mark Thomas <ma...@apache.org> wrote:
>> On 28/05/2015 10:22, Leonid Rozenblyum wrote:
>>> Hello experts.
>>>
>>> We are using FormAuthenticator and face a following issue:
>>>
>>> 1) Session persistence is disabled
>>> 2) User is on login page
>>> 3) Restart Tomcat
>>> 4) User tries authentication
>>>
>>> He receives error 400 or 408.
>>>
>>> While digging deeper we discovered that in this case Tomcat validates
>>> session id and if it's old/invalid - prevents logging-in even though
>>> valid credentials are passed.
>>>
>>> We tried landingPage solution - it looks better than error 400/408 but
>>> anyway it forces user to enter credentials twice (or we don't know how
>>> to pass credentials to landingPage implicitly).
>>>
>>> We think that an improvement of user experience would be :
>>>
>>> FormAuthenticator: 255
>>>        if (session == null) {
>>>             session = request.getSessionInternal(false);
>>>         }
>>>
>>> ==>
>>>  if (session == null) {
>>>             session = request.getSessionInternal(true);
>>>         }
>>>
>>> So if session is invalid or missing - simply create it.
>>>
>>> Does this idea make sense?
>>
>> No. It makes no sense at all.
>>
>>> Can we achieve the goal of not forcing user entering credentials twice
>>> without changes in Tomcat ?
>>
>> No. The credentials are stored in the session. If you restart Tomcat
>> with session persistence disabled those credentials are lost and the
>> user is going to have to re-enter them.
>>
>> Mark
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to