Pid wrote: > umeshkavade wrote: >> Hello, >> >> In my web application, I am using tomcat's form based authentication for >> protecting my secure web pages. Thus whenever user starts accessing webapp >> by providing an URL of protected page, it is redirected to login page. >> However, while doing so it creates a session. I do not want my web >> application to create a session until user logs into the system. >> >> I tried to figure out how form authenticator is working. I got source code >> of FormAuthenticator at: >> http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm >> >> While processing first request, tomcat calls >> FormAuthenticator.authenticate() method which is calling getSession method >> which creates a session. >> >> Is there any way to avoid this and tell tomcat to not create session. > > The session is created, (if it doesn't already exist), when you request > a protected resource, the original request is stored in the session so > it can be restored after authentication has succeeded.
Actually, on reflection, I'm not sure the original request is stored in the session itself. But in either case, the session *is* created beforehand and you can't avoid this. p > So you need the user to have a session *before* authentication takes place. > > p > > >> Inputs on this will be of great help. >> >> Thanks in advance. >> >> - Umesh >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
