I have resolved this problem, and as is so often is the case (certainly with me anyway) the cause of this wasn't what it initially appeared. Anyway I thought I'd share my findings in case anyone else came across this problem.
This is an IE specific problem relating to IFRAMES and nothing to do with Tomcat. A look at the AuthenticatorBase code lead me to believe the only thing that could actually cause the 408 is if the session could not be located. This is looked up from the session id in the request. It was a fair guess that something was happening to the session id cookie when the request came as the result of an IFRAME. A little investigation with the Privacy controls in IE fixed the problem. It seems the cookie settings are different to pages in IFRAMES than top level pages. In order to get this working the global privacy level must be dropped (specifically to "Always allow session cookies") or (probably more advisable) add the app url to the Manged Sites from the Advanced tab with "Always Allow" -----Original Message----- From: Andrew Chapman [mailto:[EMAIL PROTECTED] Sent: 03 May 2005 10:29 To: tomcat-user@jakarta.apache.org Subject: SSL, Form Authentication 408 error If I set the src of an IFRAME to my web application, which uses Form Authentication and SSL, the server consistently throws back a 408 error in IE when attempting to log in. The same scenario consistently works with Firefox. I suspect there are timing issues with IE, IFRAMEs and Form Authentication causing the 408. I have searched the archives without success and a more general search seems to indicate that there are issues with IFRAMEs and SSL in IE but no specifics. My question is: Does anyone know of a way to configure Tomcat (5.0.28) to be more resilient/permissive i.e. to increase the timeout for Form Authentication before a 408 error is thrown? Thanks in advance Andy Chapman --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
