The reason is : After Tomcat restart, and logging-in browser provides an old session id to server.
FormAuthenticator treats it as an issue, and either sends error or landing page. On Thu, May 28, 2015 at 12:30 PM, Leonid Rozenblyum <lrozenbl...@gmail.com> wrote: > Well the issue is that if user enters CORRECT credentials AFTER Tomcat restart > he sees Error 400/408 > > On Thu, May 28, 2015 at 12:29 PM, Mark Thomas <ma...@apache.org> wrote: >> On 28/05/2015 10:22, Leonid Rozenblyum wrote: >>> Hello experts. >>> >>> We are using FormAuthenticator and face a following issue: >>> >>> 1) Session persistence is disabled >>> 2) User is on login page >>> 3) Restart Tomcat >>> 4) User tries authentication >>> >>> He receives error 400 or 408. >>> >>> While digging deeper we discovered that in this case Tomcat validates >>> session id and if it's old/invalid - prevents logging-in even though >>> valid credentials are passed. >>> >>> We tried landingPage solution - it looks better than error 400/408 but >>> anyway it forces user to enter credentials twice (or we don't know how >>> to pass credentials to landingPage implicitly). >>> >>> We think that an improvement of user experience would be : >>> >>> FormAuthenticator: 255 >>> if (session == null) { >>> session = request.getSessionInternal(false); >>> } >>> >>> ==> >>> if (session == null) { >>> session = request.getSessionInternal(true); >>> } >>> >>> So if session is invalid or missing - simply create it. >>> >>> Does this idea make sense? >> >> No. It makes no sense at all. >> >>> Can we achieve the goal of not forcing user entering credentials twice >>> without changes in Tomcat ? >> >> No. The credentials are stored in the session. If you restart Tomcat >> with session persistence disabled those credentials are lost and the >> user is going to have to re-enter them. >> >> Mark >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org