I'm having a problem using
Tomcat's FORM authentication method. I'm trying to use one
JSP page as both the login page and the login error page. I set a session variable to control whether the login error message on the login page gets displayed.
This mostly works fine, until the very last step below:
The user tries to go to the webapp. The user is shown the login page. The user enters their user ID and password. If the user mistypes their password, the login page is redisplayed with the error message visible. (Correct!) After the user correctly enters their password, they get access to the webapp. The user clicks the logout button. The system displays the login page without the error message being shown. (Correct!) The user closes their web browser and then opens it again. The user tries to go to the webapp. The user is shown the login page with the "login error" message being shown. (Incorrect!) This is odd, since the error message should only be displayed if the session variable is set, and since the session was invalidated when they logged out, the session variable shouldn't still exist.
Here is part of web.xml:
Here is login.jsp:
In theory, when the user first tries to access the webapp and is given this page, the "retryLogin" session variable will not be "true", so the "login error" message will not be displayed. However, in the process of running this page, the session variable gets set. Therefore, if they mistype their user ID or password and this page is displayed again, then the <c:if>
test will be true, so they will be shown the "login error" message.
Here is the bit of the HTML code that shows the logout button. It is present in all of the pages of the webapp:
Here is the logout.java code:
In theory, when the user clicks the "Logout" button in the webapp, this
servlet will run and will invalidate the session. Therefore, if the "retryLogin" session variable was set earlier, this will cause it to go away, so that when they are shown the login page again, they won't see the "login error" message.
So... What would cause the <c:if> statement to be FALSE when the user logs out, but then become TRUE again after they've closed and reopened their web browser?
[ October 11, 2005: Message edited by: Wally Hartshorn ]