I get:
HTTP Status 408 - The time allowed for the login process has been exceeded.
If you wish to continue you must either click back twice and re-click the
link you requested or close and re-open your browser
Will it happen when a JSESSIN cookie is on the client, but no longer on the
server?
To unsubscribe, e-mail: users-unsubscribe (AT) tomcat (DOT) apache.org
For additional commands, e-mail: users-help (AT) tomcat (DOT) apache.org

hv @ Fashion Content wrote:
I get:

HTTP Status 408 - The time allowed for the login process has been exceeded.
If you wish to continue you must either click back twice and re-click the
link you requested or close and re-open your browser

Will it happen when a JSESSIN cookie is on the client, but no longer on the
server?

It happens with FRM authentication. The sequence of events is:
- user requests protected page
- server returns login jsp (session is created at this point)
- user does nothing
- session expires (default 30 minutes?)
- user submits login form
- server can't find session associated with login as it has expired
- server returns 408

Mark

To unsubscribe, e-mail: users-unsubscribe (AT) tomcat (DOT) apache.org
For additional commands, e-mail: users-help (AT) tomcat (DOT) apache.org

So what if my login page does NT create a session and the user browses to
the login page and then enters credentials ?
In that case there will be no session created when login form is submitted.

As I understand it I must ensure that the login page creates a session

Henrik

"Mark Thomas" <markt (AT) apache (DOT) orgskrev i en meddelelse
news:43909AAC.1010703 (AT) apache (DOT) org
hv @ Fashion Content wrote:
>I get:
>>
>HTTP Status 408 - The time allowed for the login process has been
>exceeded. If you wish to continue you must either click back twice and
>re-click the link you requested or close and re-open your browser
>>
>Will it happen when a JSESSIN cookie is on the client, but no longer on
>the server?
>
It happens with FRM authentication. The sequence of events is:
- user requests protected page
- server returns login jsp (session is created at this point)
- user does nothing
- session expires (default 30 minutes?)
- user submits login form
- server can't find session associated with login as it has expired
- server returns 408

Mark

To unsubscribe, e-mail: users-unsubscribe (AT) tomcat (DOT) apache.org
For additional commands, e-mail: users-help (AT) tomcat (DOT) apache.org

Henrik
Could you confirm that your 408 is caused by client hanging the connection
for 30 min
Thanks
Martin-
Message
From: "Mark Thomas" <markt (AT) apache (DOT) org>
To: "Tomcat Users List" <users (AT) tomcat (DOT) apache.org>
Sent: Friday, December 02, 2005 2:04 PM
Subject: Re: When does 408 happen ?

hv @ Fashion Content wrote:
>I get:
>>
>HTTP Status 408 - The time allowed for the login process has been
>exceeded. If you wish to continue you must either click back twice and
>re-click the link you requested or close and re-open your browser
>>
>Will it happen when a JSESSIN cookie is on the client, but no longer on
>the server?
>
It happens with FRM authentication. The sequence of events is:
- user requests protected page
- server returns login jsp (session is created at this point)
- user does nothing
- session expires (default 30 minutes?)
- user submits login form
- server can't find session associated with login as it has expired
- server returns 408

Mark
--

To unsubscribe, e-mail: users-unsubscribe (AT) tomcat (DOT) apache.org
For additional commands, e-mail: users-help (AT) tomcat (DOT) apache.org

To unsubscribe, e-mail: users-unsubscribe (AT) tomcat (DOT) apache.org
For additional commands, e-mail: users-help (AT) tomcat (DOT) apache.org

hv @ Fashion Content wrote:
So what if my login page does NT create a session and the user browses to
the login page and then enters credentials ?

Tomcat will create one if it does not exist.

I recognise the text "The time allowed for the login process has been
exceeded. If you wish to continue you must either click back twice and
re-click the link you requested or close and re-open your browser" as
something I wrote so I am pretty sure this is coming from Tomcat. The
message is generated when the session is invalid. This was only seen
as the result of a time-out but could also be as a result of other
session problems.

Using a tool like ieHttpHeaders (IE), Live HTTP Headers (Firefox) or
TcpMon (from Apache Axis) should help you figure out what is going on.

Mark

To unsubscribe, e-mail: users-unsubscribe (AT) tomcat (DOT) apache.org
For additional commands, e-mail: users-help (AT) tomcat (DOT) apache.org

, in a way the problem is "solved", as I apparently was trying to achieve
something that goes against
the implemented behaivour.

the default page of the site I put a login form as descibed in the
Servlet spec.
I then specified the default page to be the login page and listed all other
pages on the site(Except access denied page) as protected.

The behaviour that I expected was:
1) If a user visits the site he has the option to log in.
2) If he returns to the site via an old link/favourite, the default page
will be shown for him to log in.

As I understand it now, this setup cannot be achieved using form
authentication.

In my mind that makes form authentication completely useless.

Hopefully I got it all wrong, and there is a way to achieve my goal.

"Mark Thomas" <markt (AT) apache (DOT) orgskrev i en meddelelse
news:4391AD9B.1030300 (AT) apache (DOT) org
hv @ Fashion Content wrote:
>So what if my login page does NT create a session and the user browses
>to the login page and then enters credentials ?
>
Tomcat will create one if it does not exist.

I recognise the text "The time allowed for the login process has been
exceeded. If you wish to continue you must either click back twice and
re-click the link you requested or close and re-open your browser" as
something I wrote so I am pretty sure this is coming from Tomcat. The
message is generated when the session is invalid. This was only seen as
the result of a time-out but could also be as a result of other session
problems.

Using a tool like ieHttpHeaders (IE), Live HTTP Headers (Firefox) or
TcpMon (from Apache Axis) should help you figure out what is going on.

Mark

To unsubscribe, e-mail: users-unsubscribe (AT) tomcat (DOT) apache.org
For additional commands, e-mail: users-help (AT) tomcat (DOT) apache.org

hv @ Fashion Content wrote:
the default page of the site I put a login form as descibed in the
Servlet spec.
I then specified the default page to be the login page and listed all other
pages on the site(Except access denied page) as protected.

The behaviour that I expected was:
1) If a user visits the site he has the option to log in.
2) If he returns to the site via an old link/favourite, the default page
will be shown for him to log in.

As I understand it now, this setup cannot be achieved using form
authentication.

How about this.
- Set any page in your app as the welcome page
- Protect all pages

This should give the following behaviour:
1) User visiting sites requests welcome page and is redirected to
login page. After successful auth user is redirected to welcome page.
2) User visiting site via link/favourite is redirected to login page.
After successful auth user is redirected to welcome page.

In my mind that makes form authentication completely useless.

Hopefully not ;). The one thing that will not work, is if a user book
marks the login page. If they try to use a book marked login page they
will get the 408. Another problem is if you want authentication over
https but the rest of the site over http you will need to do some
extra things to achieve this. Search the user list as there has been
some posts about this recently.

Hopefully I got it all wrong, and there is a way to achieve my goal.

I think there is. see above.

To unsubscribe, e-mail: users-unsubscribe (AT) tomcat (DOT) apache.org
For additional commands, e-mail: users-help (AT) tomcat (DOT) apache.org