tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat Form Authentication Timeout Behavior
Date Wed, 01 Feb 2012 19:36:17 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jess,

On 2/1/12 2:10 PM, Jess Holle wrote:
> I've noticed that if I POST to an authenticated URL in a web app 
> configured for form-based authentication, Tomcat delivers the login
> form, and then replays the POST just fine *unless* the current
> state of the browser is one where I had already been authenticated
> but that session had timed out.  In that case, Tomcat fails to
> deliver the POST data.
> 
> I assume this is a known issue/limitation.  If not, is there some 
> configuration setting I'm missing or some such?  This is with 
> Tomcat 7.0.23.

If you are logged-in and experience a timeout while you stare at a
POST form, the next POST should ask for your credentials and then
re-POST the form.

Your description about seems to claim that Tomcat can somehow tell the
difference between a POST to a timed-out session and a post to a
session which never existed. Tomcat does not keep old sessions around
for the purposes of messing up your flows.

Are you sure you are describing your observations properly?

Tomcat *does* have a maximum size for a saved post (see
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html,
"maxSavePostSize" - the default is 4kb). I actually don't know what
happens if the POST size exceeds this value since I've never needed
more than the default.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8plDEACgkQ9CaO5/Lv0PC2OgCgr27LjLMrycQrWS4dEgH4qsiM
kzQAn3rWP/BUT/wbKiQudxMYLpiNnQC4
=jybe
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message