Folks, If we turn off all cookies in our browser, then FORM based authentication fails. We use <c:url /> to append SESSIONID=blah to the URL. When the user clicks on a protected link, we get to the login page with the correct session id. After entering the correct user name and password, it fails to pass on to the protected link. Instead we jump to an error.jsp with a DIFFERENT session ID! It seems as if the login form is creating a new session, and adding session attributes to the new session. But, the URL we are forwarding to contains the old session ID which does not have any security attributes, and so the system says you are not logged in.
There is no logging output to suggest what is happening. If we turn session cookies on, then it all works fine. Is this normal behaviour? Are there any workarounds? Ciao, Jonathan O'Connor Ph: +353 1 872 3305 Mob: +353 86 824 9736 Fax: +353 1 873 3612 ------------------------------------------------------- This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
