P, thanks very much for your help.
The problem was fixed once I started linking explicitly to "/members/index.jsp" from index.htm, rather than just linking to "/members/" when my member file was straight html. > Date: Thu, 6 Sep 2007 15:12:28 +0100 > From: [EMAIL PROTECTED] > To: users@tomcat.apache.org > Subject: Re: Problem with form based JSP authentication using Firefox with > Tomcat > > Luke McMahon wrote: >> Thanks again P, > > Can you include the source of > > /index.html > > and > > /members/index.html (is it html or JSP?) > > > p > > >> Yeah I actually already had the meta tags at the top, and modified >> everything to match your example exactly. I also tried using separate login >> and error pages with no noticeable difference. >> Here are the http responses to the member page GET. I'm not well versed in >> this stuff, but it seems like the cache-control info is ok but it thinks the >> page has not been modified when the re-login fails: >> >> >> Success: >> --------------------- >> http://localhost:8080/members/ >> >> GET /members/ HTTP/1.1 >> Host: localhost:8080 >> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) >> Gecko/20070725 Firefox/2.0.0.6 >> Accept: >> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >> Accept-Language: en-us,en;q=0.5 >> Accept-Encoding: gzip,deflate >> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >> Keep-Alive: 300 >> Connection: keep-alive >> Referer: http://localhost:8080/members/ >> Cookie: JSESSIONID=533286C2B979BBF186A7D69AAAE33746 >> Cache-Control: max-age=0 >> >> HTTP/1.x 200 OK >> Server: Apache-Coyote/1.1 >> Pragma: No-cache >> Cache-Control: no-cache >> Expires: Thu, 01 Jan 1970 10:00:00 EST >> Etag: W/"2807-1188956843361" >> Last-Modified: Wed, 05 Sep 2007 01:47:23 GMT >> Content-Type: text/html >> Content-Length: 2807 >> Date: Wed, 05 Sep 2007 02:03:55 GMT >> >> >> >> Failure: >> ----------------------------- >> http://localhost:8080/members/ >> >> GET /members/ HTTP/1.1 >> Host: localhost:8080 >> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) >> Gecko/20070725 Firefox/2.0.0.6 >> Accept: >> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >> Accept-Language: en-us,en;q=0.5 >> Accept-Encoding: gzip,deflate >> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >> Keep-Alive: 300 >> Connection: keep-alive >> Referer: http://localhost:8080/members/ >> Cookie: JSESSIONID=FF03B0286AA97B1A603A05A1E402728D >> Cache-Control: max-age=0 >> >> HTTP/1.x 304 Not Modified >> Server: Apache-Coyote/1.1 >> Pragma: No-cache >> Cache-Control: no-cache >> Expires: Thu, 01 Jan 1970 10:00:00 EST >> Etag: W/"2807-1188956843361" >> Date: Wed, 05 Sep 2007 02:04:23 GMT >> >> >> >> >> >>> Date: Wed, 5 Sep 2007 09:46:53 +0100 >>> From: [EMAIL PROTECTED] >>> To: users@tomcat.apache.org >>> Subject: Re: Problem with form based JSP authentication using Firefox with >>> Tomcat >>> >>> Are you saying you tried what I suggested, or that you have already >>> tried it? It seems like the problem is a caching issue to me. >>> >>> What URL are you trying to access to trigger the login - you're not >>> accessing the login.jsp directly are you? (I have to ask...) >>> >>> >>> In the second instance the browser is setting JSESSIONID as a cookie, >>> instead of as a URL parameter, but that shouldn't make a difference. >>> The response.encodeURL method only encodes the URL with JSESSIONID if it >>> can't see the same value in a cookie in the request. >>> >>> The value of JSESSIONID *may* change with each new session, but it won't >>> be created until you hit a JSP. So the first time it's only created >>> when you hit login.jsp, where it's encoded in the URL because no >>> previous session id was found in the URL or cookie. >>> >>> The cookie still exists locally after you logout, until you close the >>> browser down, so it's not added to the URL the second time round, but as >>> the existing ID is an invalid session it triggers the authentication valve. >>> >>> >>> >>> You should compare the server response headers rather than the request >>> headers, to see if the server is correctly sending the Cache-Control info. >>> >>> >>> >>> p >>> >>> >>> >>> >>> >>> >>> >>> Luke McMahon wrote: >>>> Thanks p (hope this is formatted better!) >>>> >>>> I tried this without success. I've attached the livehttpheader output >>>> below. What seems to happen in Firefox is the first time I go to the login >>>> page, it passes the jsessionid to j_security_check. >>>> If I then invalidate the session, and go to log in again, it calls >>>> j_security_check without this identifier. This might be why I'm not >>>> getting redirected to the member page, but I'm not sure of that. >>>> Like I said, this works fine in IE, but firefox still seems to either be >>>> losing its bundle after the session is invalidated or incorrectly caching >>>> the login page as the member page I'm trying to access. >>>> >>>> I've just cut and pasted the differences between the headers of the >>>> successful login, and the unsuccessful login (ie. no redirect). >>>> >>>> Success: >>>> --------------------------------- >>>> http://localhost:8080/members/ >>>> >>>> GET /members/ HTTP/1.1 >>>> Host: localhost:8080 >>>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) >>>> Gecko/20070725 Firefox/2.0.0.6 >>>> Accept: >>>> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >>>> Accept-Language: en-us,en;q=0.5 >>>> Accept-Encoding: gzip,deflate >>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >>>> Keep-Alive: 300 >>>> Connection: keep-alive >>>> Referer: http://localhost:8080/index.htm >>>> >>>> Failure: >>>> ------------------------------------ >>>> http://localhost:8080/members/ >>>> >>>> GET /members/ HTTP/1.1 >>>> Host: localhost:8080 >>>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.6) >>>> Gecko/20070725 Firefox/2.0.0.6 >>>> Accept: >>>> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 >>>> Accept-Language: en-us,en;q=0.5 >>>> Accept-Encoding: gzip,deflate >>>> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >>>> Keep-Alive: 300 >>>> Connection: keep-alive >>>> Referer: http://localhost:8080/index.htm >>>> Cookie: JSESSIONID=533286C2B979BBF186A7D69AAAE33746 >>>> --------------------------------------------------------------------- >>>> To start a new topic, e-mail: users@tomcat.apache.org >>>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>> >>>> >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
