I'm looking at the org.apache.catalina.authenticator.FormAuthenticator class from the 7.0.29 src. This portion of the authenticate method starting around line 301 is where I'm having a little problem:
if (log.isDebugEnabled()) { log.debug("Authentication of '" + username + "' was successful"); } if (session == null) { session = request.getSessionInternal(false); } if (session == null) { if (containerLog.isDebugEnabled()) { containerLog.debug ("User took so long to log on the session expired"); } if (landingPage == null) { response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT, sm.getString("authenticator.sessionExpired")); } else { // Make the authenticator think the user originally requested // the landing page String uri = request.getContextPath() + landingPage; SavedRequest saved = new SavedRequest(); saved.setMethod("GET"); saved.setRequestURI(uri); request.getSessionInternal(true).setNote( Constants.FORM_REQUEST_NOTE, saved); response.sendRedirect(response.encodeRedirectURL(uri)); } return (false); } If the user sits too long on the login page the session times out, even if their credentials were authenticated successfully, and sends them back to the login page where they must re-enter their credentials. It works this way even if I define a landingPage. Without a landingPage I get the dreaded 408 error. Can anyone enlighten me as to why it's a bad idea if: if (session == null) { session = request.getSessionInternal(false); } is instead: if (session == null) { session = request.getSessionInternal(true); } Thanks, Kris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org