I've read around the docs and various help sites trying to figure this out, by my situation isn't matching anything I've read, so looking for a little extra help.
Here's my config: [tomcat 8.5.24 | java 8.0 | macos 10.14] According to here: https://tomcat.apache.org/tomcat-8.5-doc/config/manager.html#Special_Features It says a session should normally persist if the application is reloaded or the server restarted, however, that is not the behavior I'm experiencing. Here's what happens: When a user logs in I create a session and store in it a single custom object that I’ve marked serializable, and all of its members are serializable (just Strings and an Instant). When the application restarts both the session and the contents seem to be restored as expected. But if the application is undeployed and redeployed the session seems to get recreated automatically, with a new session id (and negotiated through cookies with the client), but the contents of the session are now gone. To explain a bit differently, I have a test page that allows access only to an authenticated user. This test page will spit out both the session id and the contents of the session object. If I login normally and go to this page everything is fine. If I reload my application and then reload this page then everything stays the same as expected, and I'm sure this page isn't being cached (my verification has to do with the Instant I mentioned earlier). But if I undeploy and redeploy the application, or restart the server, then I can still reload this protected page without having to login, but two things are different: 1) there's a new session id 2) the session contents are now unavailable By hooking up a session listener I can confirm that a new session is being silently created, although the session is never getting destroyed. So what's going on here? This doesn't seem to be what the docs describe. This scenario is causing problems because the session data I store includes authentication info for an external resource, so my users are effectively only 1/2 logged in, and in a weird state. Two more small details: * The doc I referenced talks about Persistent Managers, but I'm not using anything non-standard. * The one non-standard thing I am using is the single-sign-on valve, but this was only to overcome a different (reported) bug I found dealing with programmatic logins (long story). Thanks for any help! Robert