It should serialize User and Principles nothing more, no need for password.
On Wed, Dec 7, 2011 at 4:12 PM, Konstantin Kolinko <knst.koli...@gmail.com>wrote: > 2011/12/7 Jess Holle <je...@ptc.com>: > > I should have noted that this is with Tomcat 7.0.23, but it seemed > unlikely > > to be JVM (Java 6 Update 29) or OS (Windows 7) specific. > > > > Of course given that I found that the documentation clearly states this > > behavior, I suspect this is longstanding Tomcat behavior. > > > > My remaining question is /why/ Tomcat behaves this way. If one quickly > > restarts Tomcat for some reason and session data is preserved, you really > > don't want all the users to have to login again do you? > > > > I think there are a simple reason: > The data contain user's password. You wouldn't want the password to be > written to disk. It is safer if it is kept in memory only. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >