Actually, there's a small correction to my session persistence description from before. From the doc I referenced here:
https://tomcat.apache.org/tomcat-8.5-doc/config/manager.html#Special_Features It says: > Whenever Apache Tomcat is shut down normally and restarted, or when an application reload is triggered, the ... All such saved sessions will then be deserialized and activated ... But here's what I'm finding: * if the application is restarted then the session and its contents are maintained as expected * if the application is undeployed and redeployed (while the server remains running) a new session is silently generated, and any contents disappear, but the user maintains her authentication * if the server is shut down and restarted then everything seems to disappear, as I then get a 403 when trying to access the protected page Again, this isn't consistent with the documentation, so not sure what I'm doing wrong. Thanks- Robert