On 20 Jul 2012, at 03:38, Brett Mason <b.ma...@adinstruments.com> wrote:
> Hi there, > > We have an application which uses the forms authentication provided by > Servlet specification and is configured store session IDs in the URL rather > than using cookies. This configuration has been working as expected under > Tomcat 6.0.32 and earlier. > > On upgrading to Tomcat 6.0.33 or 6.0.35 this combination no longer works as > expected. Specifically, when a user initially submits the login form they > are immediately returned back to the form-login-page. Submitting the login > form a second time allows them to log in. The only difference I have been > able to spot between the first and second form submission is for the second > submission the request attribute "javax.servlet.forward.request_uri" now > has the jsessionid appended to the URL. > > After a bit of reading I'm not sure if this change is a bug, perhaps > introduced by the changes to path parameter handling as mentioned in these > threads: > http://markmail.org/thread/2yzusfukitalkhyx > http://tomcat.markmail.org/thread/ykx72wcuzcmiyujz > > Or if we are using an unsupported configuration which is suggested by > section SRV.12.5.3.1 of the Servlet specification v2.5. > > > Could someone please clarify if Tomcat supports forms authentication > without cookies? If it is intended to be a supported configuration I'm > happy to submit a bug report and can provided a simple standalone test app > to reproduce the problem. Form auth should work regardless of where the session id lives. Is the login form an HTML or JSP page? A session must be created before you can login, it sounds like Tomcat isn't seeing one during the first login. p > > Thanks, > Brett. > > > Environment details: > - Windows 7 64-bit, Oracle JVM 1.6.0u32 & 1.7.0u4. > - Debian 5 32-bit, Oracle JVM 1.6.0u32. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
