On Thu, 20 Jan 2011 15:16:15 +0000, Mark Thomas <ma...@apache.org>
wrote:
Read up on FORM auth in the Servlet spec. There is a specific
sequence
of events that looks roughly like (for a successful auth):
1. Browser sends original request
2. Server saves request, creates session and responds with login page
3. Browser sends login details to server
4. Server validates login details
5. Server restores saved request and processes it
6. Server sends response to original request to browser.
Hi Mark,
That explains problem some people complain about:
When you invalidate session in second step, server is not able to
restore previous request and leaves user with the same login form with
URL /j_security_check. Real problem is, that now cryptic error appears:
HTTP Status 400 - Invalid direct reference to form login page.
It's enough for user to open login form page, wait until session
invalidates due to inactivity time, then try to login.
One solution is to use HttpSession.isNew() check on login JSP page and
perform redirect to e.g. to main page.
--
Mikolaj Rydzewski <m...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
