Hi there, We have an application which uses the forms authentication provided by Servlet specification and is configured store session IDs in the URL rather than using cookies. This configuration has been working as expected under Tomcat 6.0.32 and earlier.
On upgrading to Tomcat 6.0.33 or 6.0.35 this combination no longer works as expected. Specifically, when a user initially submits the login form they are immediately returned back to the form-login-page. Submitting the login form a second time allows them to log in. The only difference I have been able to spot between the first and second form submission is for the second submission the request attribute "javax.servlet.forward.request_uri" now has the jsessionid appended to the URL. After a bit of reading I'm not sure if this change is a bug, perhaps introduced by the changes to path parameter handling as mentioned in these threads: http://markmail.org/thread/2yzusfukitalkhyx http://tomcat.markmail.org/thread/ykx72wcuzcmiyujz Or if we are using an unsupported configuration which is suggested by section SRV.12.5.3.1 of the Servlet specification v2.5. Could someone please clarify if Tomcat supports forms authentication without cookies? If it is intended to be a supported configuration I'm happy to submit a bug report and can provided a simple standalone test app to reproduce the problem. Thanks, Brett. Environment details: - Windows 7 64-bit, Oracle JVM 1.6.0u32 & 1.7.0u4. - Debian 5 32-bit, Oracle JVM 1.6.0u32.
