https://stackoverflow.com/questions/20213217
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianIf you use Tomcat means of form auth, it has to store the initial request somewhere to perform the stateless redirect for the auth. After that, it will re-evaluate the request. The SavedRequest is saved in the session. You should disable the changeSessionIdOnAuthentication flag.
Pre-login session id?
-
05-08-2022 - |
Question
I have a simple webapp on Tomcat with form authentication, and notice that there is a "pre-login" JSESSIONID that's being set whenever a user just goes to the login page, before any login attempt even occurs.
Is this default behavior in Tomcat? Why does Tomcat generate a JSESSIONID just for loading a login page? Shouldn't it generate any session id's only after an actual login? (Not because someone just loads the login page!)
Note: I should mention that my entire webapp (login page and all) is hosted over https; no part of it is exposed via http. Also I am not using JSP. After login, Tomcat generates a second JSESSIONID, different from the first. And that's the one the user uses for the remainder of their session.
But why does it set a "pre-login" JSESSIONID in the first place?
La solution
Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
