Hi Mark- Thanks for the response.
> > * if the application is undeployed and redeployed (while the server > >remains running) a new session is silently generated, and any contents > >disappear, but the user maintains her authentication > > As expected. Redeploy (undeploy+deploy) != reload (stop+start) This is a good point and why I sent the follow-up email. However, I'd expect the undeploy+deploy to be the one to completely clean out and invalidate the session, but the distinction isn't important for my situation. > > * if the server is shut down and restarted then everything seems to > >disappear, as I then get a 403 when trying to access the protected page > > Expected behaviour here will depend on whether a server shutdown shuts down Tomcat cleanly. From your description it sounds like it does not. I just re-ran my test getting the same result, i.e., after a server restart a previously accessible request now gives a 403. Looking at the logs, the shutdown seems fine (i.e., nothing above INFO), and there were only a few lines, but this one might be relevant: INFO [localhost-startStop-2] org.apache.catalina.core.ApplicationContext.log SessionListener: contextDestroyed() On subsequent startup there are a lot more logs, but one warning that doesn't seem relevant: WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin [SetPropertiesRule]{Server/Service/Engine/Realm/Realm/CredentialHandler} Setting property 'keyLength' to '256' did not find a matching property. But maybe it is? There was also this session relevant line: INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log SessionListener: contextInitialized() So not sure what is going on. I'll see if I can figure out if that WARNING is causing issues. Thanks for the guidance, but please let me know if there's anything else I can look at. Robert