I'm looking at the org.apache.catalina.authenticator.FormAuthenticator
class from the 7.0.29 src. This portion of the authenticate method
starting around line 301 is where I'm having a little problem:
if (log.isDebugEnabled()) {
log.debug("Authentication of '" + username + "' was successful");
}
if (session == null) {
session = request.getSessionInternal(false);
}
if (session == null) {
if (containerLog.isDebugEnabled()) {
containerLog.debug
("User took so long to log on the session expired");
}
if (landingPage == null) {
response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
sm.getString("authenticator.sessionExpired"));
} else {
// Make the authenticator think the user originally requested
// the landing page
String uri = request.getContextPath() + landingPage;
SavedRequest saved = new SavedRequest();
saved.setMethod("GET");
saved.setRequestURI(uri);
request.getSessionInternal(true).setNote(
Constants.FORM_REQUEST_NOTE, saved);
response.sendRedirect(response.encodeRedirectURL(uri));
}
return (false);
}
If the user sits too long on the login page the session times out, even
if their credentials were authenticated successfully, and sends them
back to the login page where they must re-enter their credentials. It
works this way even if I define a landingPage. Without a landingPage I
get the dreaded 408 error.
Can anyone enlighten me as to why it's a bad idea if:
if (session == null) {
session = request.getSessionInternal(false);
}
is instead:
if (session == null) {
session = request.getSessionInternal(true);
}
Thanks,
Kris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
