tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Mason <>
Subject Forms authentication without cookies in 6.0.33
Date Fri, 20 Jul 2012 02:37:33 GMT
Hi there,

We have an application which uses the forms authentication provided by
Servlet specification and is configured store session IDs in the URL rather
than using cookies. This configuration has been working as expected under
Tomcat 6.0.32 and earlier.

On upgrading to Tomcat 6.0.33 or 6.0.35 this combination no longer works as
expected. Specifically, when a user initially submits the login form they
are immediately returned back to the form-login-page. Submitting the login
form a second time allows them to log in. The only difference I have been
able to spot between the first and second form submission is for the second
submission the request attribute "javax.servlet.forward.request_uri" now
has the jsessionid appended to the URL.

After a bit of reading I'm not sure if this change is a bug, perhaps
introduced by the changes to path parameter handling as mentioned in these

Or if we are using an unsupported configuration which is suggested by
section SRV. of the Servlet specification v2.5.

Could someone please clarify if Tomcat supports forms authentication
without cookies? If it is intended to be a supported configuration I'm
happy to submit a bug report and can provided a simple standalone test app
to reproduce the problem.


Environment details:
- Windows 7 64-bit, Oracle JVM 1.6.0u32 & 1.7.0u4.
- Debian 5 32-bit, Oracle JVM 1.6.0u32.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message