I read this statement in one of the SCWCD 1.3 study guides
For HTTP Form bases Auth:
1. "It specifies that the server should check for a reserved session cookie and should redirect users who do not have it to a designated login page."
-- what does it mean ? does the form-login-page should be in the session?
2. "Any time the server receives a request for a protected resource (using Form Auth), the server checks if the user has already logged in, e.g. server might look for Principal object in HttpSession object. If Principal found, then roles are checked against security contraints."
I dont understand this statement. What happens when the Principal is not authorized ? ..