You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jess Holle <je...@ptc.com> on 2012/02/01 20:10:38 UTC
Tomcat Form Authentication Timeout Behavior
I've noticed that if I POST to an authenticated URL in a web app
configured for form-based authentication, Tomcat delivers the login
form, and then replays the POST just fine *unless* the current state of
the browser is one where I had already been authenticated but that
session had timed out. In that case, Tomcat fails to deliver the POST data.
I assume this is a known issue/limitation. If not, is there some
configuration setting I'm missing or some such? This is with Tomcat 7.0.23.
--
Jess Holle
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Form Authentication Timeout Behavior
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jess,
On 2/1/12 2:10 PM, Jess Holle wrote:
> I've noticed that if I POST to an authenticated URL in a web app
> configured for form-based authentication, Tomcat delivers the login
> form, and then replays the POST just fine *unless* the current
> state of the browser is one where I had already been authenticated
> but that session had timed out. In that case, Tomcat fails to
> deliver the POST data.
>
> I assume this is a known issue/limitation. If not, is there some
> configuration setting I'm missing or some such? This is with
> Tomcat 7.0.23.
If you are logged-in and experience a timeout while you stare at a
POST form, the next POST should ask for your credentials and then
re-POST the form.
Your description about seems to claim that Tomcat can somehow tell the
difference between a POST to a timed-out session and a post to a
session which never existed. Tomcat does not keep old sessions around
for the purposes of messing up your flows.
Are you sure you are describing your observations properly?
Tomcat *does* have a maximum size for a saved post (see
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html,
"maxSavePostSize" - the default is 4kb). I actually don't know what
happens if the POST size exceeds this value since I've never needed
more than the default.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8plDEACgkQ9CaO5/Lv0PC2OgCgr27LjLMrycQrWS4dEgH4qsiM
kzQAn3rWP/BUT/wbKiQudxMYLpiNnQC4
=jybe
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org