tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From umeshkavade <>
Subject Form Based Authentication creates user session before it is authenticated?
Date Sat, 09 May 2009 01:03:47 GMT


In my web application, I am using tomcat's form based authentication for
protecting my secure web pages. Thus whenever user starts accessing webapp
by providing an URL of protected page, it is redirected to login page.
However, while doing so it creates a session. I do not want my web
application to create a session until user logs into the system. 

I tried to figure out how form authenticator is working. I got source code
of FormAuthenticator at:

While processing first request, tomcat calls
FormAuthenticator.authenticate() method which is calling getSession method
which creates a session.

Is there any way to avoid this and tell tomcat to not create session.

Inputs on this will be of great help.

Thanks in advance.

- Umesh

View this message in context:
Sent from the Tomcat - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message