Hello, In my web application, I am using tomcat's form based authentication for protecting my secure web pages. Thus whenever user starts accessing webapp by providing an URL of protected page, it is redirected to login page. However, while doing so it creates a session. I do not want my web application to create a session until user logs into the system.
I tried to figure out how form authenticator is working. I got source code of FormAuthenticator at: http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm While processing first request, tomcat calls FormAuthenticator.authenticate() method which is calling getSession method which creates a session. Is there any way to avoid this and tell tomcat to not create session. Inputs on this will be of great help. Thanks in advance. - Umesh -- View this message in context: http://www.nabble.com/Form-Based-Authentication-creates-user-session-before-it-is-authenticated--tp23455945p23455945.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org