On 24/10/2018 19:01, Robert J. Carr wrote:
Hi Mark-
Thanks again for the response.
I fixed the credential handler config, it just had a superfluous attribute,
so the WARNING went away and as you predicted didn't change the session
outcome. Now when stopping and starting tomcat I'm not seeing any log
higher than an INFO, it is appears to be doing this cleanly, but my problem
persists.
I'll take a look at the http to see what is going on with the session
tokens and cookies, thanks for the advice. However, it's still strange to
me that it works for an app restart, meaning from the application
perspective it is correctly implemented, e.g., with respect to
serialization, but not a server restart, although the docs indicate these
should work the same.
I know sessions are intertwined with single sign-on. Are we sure this
isn't the problem? As I said, I need to turn on single sign-on to fix
another login bug, but I might be able to turn it off if it'd help in
diagnosing this problem.
When you say restart the server do you mean you stop/start Tomcat or
reboot the server?
SSO may be playing a role. Are you using Tomcat's SSO or something else?
Generally, Tomcat persists session. Optionally (enabled by default)
Tomcat caches the authenticated user ID in the session. So if the
session is cached, the user should remain authenticated.
The authentication mechanism also plays a part as browsers will resend
credentials on subsequent requests if BASIC auth is used.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
