If you use Tomcat means of form auth, it has to store the initial request somewhere to perform the stateless redirect for the auth. After that, it will re-evaluate the request. The SavedRequest
is saved in the session. You should disable the changeSessionIdOnAuthentication
flag.
Pre-login session id?
-
05-08-2022 - |
Question
I have a simple webapp on Tomcat with form authentication, and notice that there is a "pre-login" JSESSIONID that's being set whenever a user just goes to the login page, before any login attempt even occurs.
Is this default behavior in Tomcat? Why does Tomcat generate a JSESSIONID just for loading a login page? Shouldn't it generate any session id's only after an actual login? (Not because someone just loads the login page!)
Note: I should mention that my entire webapp (login page and all) is hosted over https; no part of it is exposed via http. Also I am not using JSP. After login, Tomcat generates a second JSESSIONID, different from the first. And that's the one the user uses for the remainder of their session.
But why does it set a "pre-login" JSESSIONID in the first place?
La solution