tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "mech" <>
Subject form based auth problem when disallowing cookies
Date Sat, 08 Feb 2003 17:56:50 GMT

I'm using Tomcat 4.1.18 with a form based auth method. 
My login.jsp is in a directory <context>/login/ and for that directory
I've also set a security contraint which switches to https for logon
(and stays in https, of course)

I have no problem when I use cookies, but I see a bit strange behaviour
if I don't use cookies:

1. Surf around the webapp. sessionid is generated and attached to url
via url rewriting
2. Click login link and load login.jsp. Simultaniously switching to
3. Still same sessionid in the url as before. login form screen prompts
4. I use correct username/password to login. I see no error, but the
sessionid got changed in the url and the login form is prompted again
and i'm not yet "in"!
5. If I login again, I keep the "new" sessionid and can continue as
normal and finally login is sucessful.

Step 4 is different to what I have with cookies. I don't need to login
twice. And the sessionid that is in the cookie also stays the same
before and after.

So actually my previous session also gets destroyed after logon and I
couldn't take my session beans (for example a shopping cart) into https
while using url rewriting for session tracking. If I use cookies, that's

Any ideas what I do wrong, is this a bug (if yes, in my webapp or
Tomcat) or is it a "wanted security thing" that you can't grab someone's
session id from the url, for example to manipulate the session from a
second http browser window after a https logon was done in another


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message