tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jess Holle <>
Subject Re: Form Authentication POST data not preserved?
Date Sat, 04 Feb 2012 00:14:42 GMT
On 2/3/2012 5:26 PM, Konstantin Kolinko wrote:
> 2012/2/4 Jess Holle<>:
>> I posted a query recently wherein I thought that POST data was being lost
>> *only* if the user had been authenticated, their session timed out, and then
>> they POST'ed to a URL requiring authentication -- thus having their request
>> interrupted for a form-based login.
>> I know Tomcat is supposed to preserve the POST data in this case as well as
>> in the case where one had not yet authenticated prior to the POST, but I'd
>> thought that the latter case worked.
>> As someone nicely pointed out, that makes no sense.
> Why? The saved data is kept in session. If session times out (that
> means: it is removed from the server) the data that was kept in it
> becomes lost as well as the session itself.
> Or maybe I do not quite understand you (try rephrase your statements,
> listing the events in chronological order).
How's this?

Case 1:

 1. Browse to (anonymously accessible) data entry form without having
    logged in yet
 2. Click to POST data to authenticated result page URL
 3. Fill in login form
 4. See result page

Case 2:

 1. Log in
 2. Browse to data entry form (anonymous or otherwise)
 3. Allow session to time out (or force this on the server)
 4. Click to POST data to authenticated result page URL
 5. Fill in login form
 6. See result page

I'd expect to see the results in both cases reflect the POST data.

Initially I had thought that Case #1 worked but Case #2 didn't.  That 
makes no sense -- as others pointed out.

Now I see that neither case works.

Jess  Holle

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message