tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat Form Authentication Timeout Behavior
Date Wed, 01 Feb 2012 19:36:17 GMT
Hash: SHA1


On 2/1/12 2:10 PM, Jess Holle wrote:
> I've noticed that if I POST to an authenticated URL in a web app 
> configured for form-based authentication, Tomcat delivers the login
> form, and then replays the POST just fine *unless* the current
> state of the browser is one where I had already been authenticated
> but that session had timed out.  In that case, Tomcat fails to
> deliver the POST data.
> I assume this is a known issue/limitation.  If not, is there some 
> configuration setting I'm missing or some such?  This is with 
> Tomcat 7.0.23.

If you are logged-in and experience a timeout while you stare at a
POST form, the next POST should ask for your credentials and then
re-POST the form.

Your description about seems to claim that Tomcat can somehow tell the
difference between a POST to a timed-out session and a post to a
session which never existed. Tomcat does not keep old sessions around
for the purposes of messing up your flows.

Are you sure you are describing your observations properly?

Tomcat *does* have a maximum size for a saved post (see,
"maxSavePostSize" - the default is 4kb). I actually don't know what
happens if the POST size exceeds this value since I've never needed
more than the default.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message