Link for image where it will shows the details https://docs.google.com/document/d/1Ziojwm6rPvyuJ6rpJR1tu0e5xTfnawrHeLz3QvL28XA/edit?usp=sharing
Thanks and Regards, Rajendra Rathore 9922701491 From: Rathore, Rajendra Sent: Thursday, December 30, 2021 4:25 PM To: users@tomcat.apache.org Subject: issue with Form based authentication Importance: High Hi Team, We are facing some weird issue with tomcat Form based authentication, I will try to explain the scenario as below: issue is reproducible in specific conditions, when browser cache is disabled, and cleared out before session timeout. In this conditions after session timeout when user is moving mouse over some elements where requests for GIFs are sent. Those request are processed by FormAuthenticator tomcat class. This class is responsible for saving requested URL and redirecting user to this saved URL after successful login. But this class saves in session all requests using the same key, this means that old requests are overrided by new ones. In this case there are multiple requests after session timeout, to get some GIFs, and to show relogin.jsp in popup window, those requests are handled by different threads, and last executed thread is saving to session information about requested URL. We have classic race condition here. If relogin.jsp will be requested last, then issue is not reproducible, if some GIF will be requested and saved last issue will be reproducible. Please let me know if any extra loggers required, will enable and shared with you. Thanks and Regards, Rajendra Rathore
