tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Form Authentication POST data not preserved?
Date Sat, 04 Feb 2012 18:33:18 GMT
Hash: SHA1


On 2/3/12 6:26 PM, Konstantin Kolinko wrote:
> 2012/2/4 Jess Holle <>:
>> I posted a query recently wherein I thought that POST data was
>> being lost *only* if the user had been authenticated, their
>> session timed out, and then they POST'ed to a URL requiring
>> authentication -- thus having their request interrupted for a
>> form-based login.
>> I know Tomcat is supposed to preserve the POST data in this case
>> as well as in the case where one had not yet authenticated prior
>> to the POST, but I'd thought that the latter case worked.
>> As someone nicely pointed out, that makes no sense.
> Why? The saved data is kept in session. If session times out (that 
> means: it is removed from the server) the data that was kept in it 
> becomes lost as well as the session itself.

It was I who said it made no sense, and here's why: my understanding
of Jess's situation was that he was comparing the following two cases
and saying that they behaved differently:

Case 1:
  a. User logs in
  b. User navigates to POST form
  c. Session times out
  d. User POSTs form
  e. Login form is shown
  f. User authenticates successfully
  g. Form data is successfully re-POSTed (*)

  * Jess is now saying that step (g) actually fails

Case 2:
  a. User has never logged-in, yet sits on a POST form page
  b. User POSTs form
  c. Login form is shown
  d. User authenticates successfully
  e. Form data faild to be re-POSTed

Since Tomcat cannot actually differentiate between these two cases,
observing them behaving differently seems suspicious.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message