take a look at HttpServletRequest.code for method which creates a new session via getSession(request,true) http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Core/Servlet-API-by-tomcat/javax/servlet/http/HttpServletRequest.java.htm getSession(request,true) will create a new Session getSession(request,false) will NOT create a new session
FormAuthenticator.java authenticate method shows the calls to getSession as for newSession will be created e.g. http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm authenticate method (calls to getSession method) if (ssoId != null) 107: associate(ssoId, getSession(request, true)); 128: session = getSession(request, true); 161: session = getSession(request, true); 198: session = getSession(request, true); 243: if (session == null) 244: session = getSession(request, false); matchRequest 287: Session session = getSession(request, false); HTH Martin Gainty ______________________________________________ Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > Date: Sat, 9 May 2009 10:35:37 +0100 > From: p...@pidster.com > To: users@tomcat.apache.org > Subject: Re: Form Based Authentication creates user session before it is > authenticated? > > Pid wrote: > > umeshkavade wrote: > >> Hello, > >> > >> In my web application, I am using tomcat's form based authentication for > >> protecting my secure web pages. Thus whenever user starts accessing webapp > >> by providing an URL of protected page, it is redirected to login page. > >> However, while doing so it creates a session. I do not want my web > >> application to create a session until user logs into the system. > >> > >> I tried to figure out how form authenticator is working. I got source code > >> of FormAuthenticator at: > >> http://www.java2s.com/Open-Source/Java-Document/Sevlet-Container/tomcat-catalina/org/apache/catalina/authenticator/FormAuthenticator.java.htm > >> > >> While processing first request, tomcat calls > >> FormAuthenticator.authenticate() method which is calling getSession method > >> which creates a session. > >> > >> Is there any way to avoid this and tell tomcat to not create session. > > > > The session is created, (if it doesn't already exist), when you request > > a protected resource, the original request is stored in the session so > > it can be restored after authentication has succeeded. > > Actually, on reflection, I'm not sure the original request is stored in > the session itself. But in either case, the session *is* created > beforehand and you can't avoid this. > > p > > > So you need the user to have a session *before* authentication takes place. > > > > p > > > > > >> Inputs on this will be of great help. > >> > >> Thanks in advance. > >> > >> - Umesh > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > _________________________________________________________________ Hotmail® has a new way to see what's up with your friends. http://windowslive.com/Tutorial/Hotmail/WhatsNew?ocid=TXT_TAGLM_WL_HM_Tutorial_WhatsNew1_052009
