Because form-based login requires the use of sessions, you *must* use URL
rewriting to pass the session id when your clients do not support
cookies. In practical terms, that means your form-based login page should
be a JSP (rather than static HTML) with a <form> element like this:
<FORM METHOD="POST" name="login"
ACTION='<%= response.encodeURL("j_security_check") %>'>
If your client really does have cookies, the rewriting will not occur
after the first request.
Craig McClanahan
On Wed, 18 Jul 2001, Hensley, Zachary wrote:
> I can not get form based authentication to work with cookies turned off and
> using URL rewriting. I have set noCookie="true" in the server.xml and I
> have tried several different variations of passing jessionid, all listed
> below.
>
> <FORM METHOD="POST" name="login" ACTION="j_security_check">
> <INPUT TYPE="hidden" NAME="jsessionid" value="<%=session.getId()%>"/>
> ..
> <FORM METHOD="POST" name="login"
> ACTION="<%=response.encodeURL("j_security_check")%>">
> ..
> <FORM METHOD="POST" name="login"
> ACTION="j_security_check");jessionid=<%=session.getId()%>">
> ..
>
> I have also tried all upper case for "jessionid"
>
> I want to use cookies, but I have to support people without, by using URL
> rewriting. Can I use cookies for people that have cookie enabled browsers,
> and URL rewriting for people that don't or is it one or the other. I really
> appreciate any help.
>
>
> Thanks,
>
> Zach H.
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the sender by email, delete and destroy this message and its
> attachments.
>
>
> **********************************************************************
>
