On Mon, 17 Sep 2001, pero wrote:
> Date: Mon, 17 Sep 2001 14:23:27 +0200
> From: pero <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: RE: form based login
>
> Hi Craig,
>
> thanks for your fast reply. To avoid any misunderstandings - my tomcat
> configuration works well (including sessions based on URL-rewriting) for my
> (not that small) application, I just wanted to protect the admin-stuff.
> I think your guess was right: Setting cookies to "true" solves this.
> Switching back to URL-rewriting doesn't work.
>
> If this is a bug, will it be fixed until the final release? (if not, I have
> to deal with it...)
>
OK, I figured out what was going on here.
Tomcat 4 is already performing URL rewriting on the redirects it does to
perform form-based login. However, it is also required that your form
login page must do URL rewriting on its own link -- otherwise, there is no
way to maintain session identity in the absence of cookies.
I solved this by modifying the <form> tag on my login page to say:
<form method="POST"
action='<%= response.encodeURL("j_security_check") %>'>
...
</form>
and everything worked correctly. I've just modified the form based login
example that will ship with Tomcat 4 to use this technique as well.
> thanks,
> pero
Craig
