"Sasha Borodin" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Howdy, trying to solve an issue before heading out for the weekend, any > insight would be greatly appreciated :-) > > From my understanding of the CMA docs for Tomcat, a user's credentials are > cached after login, and a user is authenticated until the session expires > (FORM) or the browser is restarted (BASIC, etc.). However, the docs don't > mention the expected behavior if the container or individual context is > reloaded. > > I'm using FORM-based login. My sessions are set to expire after 30 minutes. > Sessions are serialized. But if I reload the context even before the > session is expired, I'm redirected to my login page if I request any > protected resources after the reload. > > The session is still valid, because I'm not assigned a different session id > - the same one is somehow "blessed" again. I would think that since the > docs state that "logged in" status is tied to the session, a user would > remain logged in until the session expires or is invalidated. > > Is there a switch I'm missing to save the "logged in" status? Or is this > the designed behavior according to the Sevlet spec?
There is no switch that you are missing: Tomcat refuses to save/restore the logged in user from the Session. It certainly isn't doing this because of the Servlet spec (if anything, my reading of the spec suggests that it should retain the user). However, this is a grey area in the spec, so you can't say that Tomcat is violating the spec either. > > Thank you very much, > > -Sasha --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
