Hi Mark- Thanks again for the response.
I fixed the credential handler config, it just had a superfluous attribute, so the WARNING went away and as you predicted didn't change the session outcome. Now when stopping and starting tomcat I'm not seeing any log higher than an INFO, it is appears to be doing this cleanly, but my problem persists. I'll take a look at the http to see what is going on with the session tokens and cookies, thanks for the advice. However, it's still strange to me that it works for an app restart, meaning from the application perspective it is correctly implemented, e.g., with respect to serialization, but not a server restart, although the docs indicate these should work the same. I know sessions are intertwined with single sign-on. Are we sure this isn't the problem? As I said, I need to turn on single sign-on to fix another login bug, but I might be able to turn it off if it'd help in diagnosing this problem. Thanks- Robert
