You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "hv @ Fashion Content" <in...@fashioncontent.com> on 2005/12/02 13:39:23 UTC
When does 408 happen ?
I get:
HTTP Status 408 - The time allowed for the login process has been exceeded.
If you wish to continue you must either click back twice and re-click the
link you requested or close and re-open your browser
Will it happen when a JSESSION cookie is on the client, but no longer on the
server?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: When does 408 happen ?
Posted by Mark Thomas <ma...@apache.org>.
hv @ Fashion Content wrote:
> On the default page of the site I put a login form as descibed in the
> Servlet spec.
> I then specified the default page to be the login page and listed all other
> pages on the site(Except access denied page) as protected.
>
> The behaviour that I expected was:
> 1) If a user visits the site he has the option to log in.
> 2) If he returns to the site via an old link/favourite, the default page
> will be shown for him to log in.
>
> As I understand it now, this setup cannot be achieved using form
> authentication.
How about this.
- Set any page in your app as the welcome page
- Protect all pages
This should give the following behaviour:
1) User visiting sites requests welcome page and is redirected to
login page. After successful auth user is redirected to welcome page.
2) User visiting site via link/favourite is redirected to login page.
After successful auth user is redirected to welcome page.
> In my mind that makes form authentication completely useless.
Hopefully not ;). The one thing that will not work, is if a user book
marks the login page. If they try to use a book marked login page they
will get the 408. Another problem is if you want authentication over
https but the rest of the site over http you will need to do some
extra things to achieve this. Search the user list as there has been
some posts about this recently.
> Hopefully I got it all wrong, and there is a way to achieve my goal.
I think there is. see above.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: When does 408 happen ?
Posted by "hv @ Fashion Content" <in...@fashioncontent.com>.
Ok, in a way the problem is "solved", as I apparently was trying to achieve
something that goes against
the implemented behaivour.
On the default page of the site I put a login form as descibed in the
Servlet spec.
I then specified the default page to be the login page and listed all other
pages on the site(Except access denied page) as protected.
The behaviour that I expected was:
1) If a user visits the site he has the option to log in.
2) If he returns to the site via an old link/favourite, the default page
will be shown for him to log in.
As I understand it now, this setup cannot be achieved using form
authentication.
In my mind that makes form authentication completely useless.
Hopefully I got it all wrong, and there is a way to achieve my goal.
"Mark Thomas" <ma...@apache.org> skrev i en meddelelse
news:4391AD9B.1030300@apache.org...
> hv @ Fashion Content wrote:
>> So what if my login page does NOT create a session and the user browses
>> to the login page and then enters credentials ?
>
> Tomcat will create one if it does not exist.
>
> I recognise the text "The time allowed for the login process has been
> exceeded. If you wish to continue you must either click back twice and
> re-click the link you requested or close and re-open your browser" as
> something I wrote so I am pretty sure this is coming from Tomcat. The
> message is generated when the session is invalid. This was only seen as
> the result of a time-out but could also be as a result of other session
> problems.
>
> Using a tool like ieHttpHeaders (IE), Live HTTP Headers (Firefox) or
> TcpMon (from Apache Axis) should help you figure out what is going on.
>
> Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: When does 408 happen ?
Posted by Mark Thomas <ma...@apache.org>.
hv @ Fashion Content wrote:
> So what if my login page does NOT create a session and the user browses to
> the login page and then enters credentials ?
Tomcat will create one if it does not exist.
I recognise the text "The time allowed for the login process has been
exceeded. If you wish to continue you must either click back twice and
re-click the link you requested or close and re-open your browser" as
something I wrote so I am pretty sure this is coming from Tomcat. The
message is generated when the session is invalid. This was only seen
as the result of a time-out but could also be as a result of other
session problems.
Using a tool like ieHttpHeaders (IE), Live HTTP Headers (Firefox) or
TcpMon (from Apache Axis) should help you figure out what is going on.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: When does 408 happen ?
Posted by "hv @ Fashion Content" <in...@fashioncontent.com>.
So what if my login page does NOT create a session and the user browses to
the login page and then enters credentials ?
In that case there will be no session created when login form is submitted.
As I understand it I must ensure that the login page creates a session
Henrik
"Mark Thomas" <ma...@apache.org> skrev i en meddelelse
news:43909AAC.1010703@apache.org...
> hv @ Fashion Content wrote:
>> I get:
>>
>> HTTP Status 408 - The time allowed for the login process has been
>> exceeded. If you wish to continue you must either click back twice and
>> re-click the link you requested or close and re-open your browser
>>
>> Will it happen when a JSESSION cookie is on the client, but no longer on
>> the server?
>
> It happens with FORM authentication. The sequence of events is:
> - user requests protected page
> - server returns login jsp (session is created at this point)
> - user does nothing
> - session expires (default 30 minutes?)
> - user submits login form
> - server can't find session associated with login as it has expired
> - server returns 408
>
> Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: When does 408 happen ?
Posted by Martin Gainty <mg...@hotmail.com>.
Henrik
Could you confirm that your 408 is caused by client hanging the connection
for 30 min
Thanks
Martin-
----- Original Message -----
From: "Mark Thomas" <ma...@apache.org>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Friday, December 02, 2005 2:04 PM
Subject: Re: When does 408 happen ?
> hv @ Fashion Content wrote:
>> I get:
>>
>> HTTP Status 408 - The time allowed for the login process has been
>> exceeded. If you wish to continue you must either click back twice and
>> re-click the link you requested or close and re-open your browser
>>
>> Will it happen when a JSESSION cookie is on the client, but no longer on
>> the server?
>
> It happens with FORM authentication. The sequence of events is:
> - user requests protected page
> - server returns login jsp (session is created at this point)
> - user does nothing
> - session expires (default 30 minutes?)
> - user submits login form
> - server can't find session associated with login as it has expired
> - server returns 408
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: When does 408 happen ?
Posted by Mark Thomas <ma...@apache.org>.
hv @ Fashion Content wrote:
> I get:
>
> HTTP Status 408 - The time allowed for the login process has been exceeded.
> If you wish to continue you must either click back twice and re-click the
> link you requested or close and re-open your browser
>
> Will it happen when a JSESSION cookie is on the client, but no longer on the
> server?
It happens with FORM authentication. The sequence of events is:
- user requests protected page
- server returns login jsp (session is created at this point)
- user does nothing
- session expires (default 30 minutes?)
- user submits login form
- server can't find session associated with login as it has expired
- server returns 408
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org