Hi ...I've tried to modify AccessInterceptor in order to use FORM authentication WITHOUT enabling cookies. The appended code stays between //HERE IS THE DIFFERENCE & // SOFTWIN: THE DIFFERENCE ENDS HERE. Unfortunately, I didn't succeed in copiling it. Could you take a look and eventually send me back a "fixed" Tomcat? ... // SOFTWIN: HERE IS THE DIFFERENCE boolean noCookies=false; public void setNoCookies(boolean noCookies) { this.noCookies = noCookies; } // SOFTWIN: THE DIFFERENCE ENDS HERE ... class FormAuthHandler extends ServletWrapper { FormAuthHandler() { initialized=true; internal=true; name="tomcat.formAuthHandler"; } public void doService(Request req, Response res) throws Exception { Context ctx=req.getContext(); HttpSession session=req.getSession( false ); if( session == null ) { } String page=ctx.getFormLoginPage(); String errorPage=ctx.getFormErrorPage(); // assert errorPage!=null ( AccessInterceptor will check // that and enable form login only if everything is ok session=req.getSession( true ); String username=(String)session.getAttribute( "j_username" ); if( debug>0) log( "Username = " + username); if( username != null ) { // 401 with existing j_username - that means wrong credentials. // Next time we'll have a fresh start session.removeAttribute( "j_username"); session.removeAttribute( "j_password"); req.setAttribute("javax.servlet.error.message", errorPage ); contextM.handleStatus( req, res, 302 ); // redirect return; } String originalLocation = req.getRequestURI(); // SOFTWIN: HERE IS THE DIFFERENCE if (noCookies) { originalLocation+="jsessionid="+session.getId(); } // SOFTWIN: THE DIFFERENCE ENDS HERE if (req.getQueryString() != null) originalLocation += "?" + req.getQueryString(); session.setAttribute( "tomcat.auth.originalLocation", originalLocation); if( debug > 0 ) log("Redirect1: " + page + " originalUri=" + req.getRequestURI()); req.setAttribute("javax.servlet.error.message", page ); contextM.handleStatus( req, res, 302 ); // redirect return; } } --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]