At 09:35 3/28/01 -0500, you wrote:
>> thanks for your reply, but i am not using sessions any way.
>> either this does not happen when i use simple basic authentication.
>> it seems that session management is turned on some way, when
>> i use form based sec.
>> any hint?
>
>Not sure I understand what you mean by not using sessions? You mean
>you never access any instances of HttpSession?
yes, this is what i mean.
> Did you do something
>like get rid of(from server.xml):
>
><RequestInterceptor
>className="org.apache.tomcat.session.StandardSessionInterceptor" />
no, i haven't dared ;-)
>To the best of my knowledge Tomcat does session management despite
>whatever type of authentication you are using(correct me if I'm wrong
>anyone...).
this is the answer i was looking for: by default, sessions are working under the hood.
the basic authorization is likely to be a bit more slack dealing with timeout, since
the client just has to send correct authorization headers.
> I believe your servlet would work fine, as long as you
>don't get an instance of HttpSession, if you removed the RequestInterceptor
>for the Session Manager; but jsp pages will still have a problem.
>
>Of course, this is all to the best of my knowledge...
thanks again for your answer.
btw: servlet specs v2.2 do not describe the authentication scheme used by form based
auth. where can i find a tomcat-based description of it?
simone
>Anyone else have comments on this?
>
>
>---
>Michael Wentzel
>Software Developer
>Software As We Think - http://www.aswethink.com
>mailto:[EMAIL PROTECTED]
>
>- Punisher of those who cannot spell dumb!
>
>
