umeshkavade wrote: > Hello, > > In my web application, I am using tomcat's form based authentication for > protecting my secure web pages. Thus whenever user starts accessing webapp > by providing an URL of protected page, it is redirected to login page. > However, while doing so it creates a session. I do not want my web > application to create a session until user logs into the system. > > I tried to figure out how form authenticator is working. I got source code > of FormAuthenticator at: > http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm > > While processing first request, tomcat calls > FormAuthenticator.authenticate() method which is calling getSession method > which creates a session. > > Is there any way to avoid this and tell tomcat to not create session.
The session is created, (if it doesn't already exist), when you request a protected resource, the original request is stored in the session so it can be restored after authentication has succeeded. So you need the user to have a session *before* authentication takes place. p > Inputs on this will be of great help. > > Thanks in advance. > > - Umesh > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
