Bug 58665

Summary: Sudden logout at base path
Product: Tomcat 8 Reporter: Alex Dushkin <dushkin>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED DUPLICATE    
Severity: normal CC: dushkin
Priority: P2    
Version: 8.0.29   
Target Milestone: ----   
Hardware: PC   
OS: All   
Attachments: Simple web application

Description Alex Dushkin 2015-11-28 14:17:07 UTC
Created attachment 33309 [details]
Simple web application

1. Unpack http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.29/bin/apache-tomcat-8.0.29.zip

2. Uncomment users and roles in conf/tomcat-users.xml

3. Start Tomcat

4. Unpack and deploy the attached webapp "app" (jsp only)

5. Open the webapp page: http://localhost:8080/app/index

6. Login as tomcat/tomcat

7. Change path to http://localhost:8080/app - logged out!

Tomcat 8.0.28 just redirects back to index.
Comment 1 Mark Thomas 2015-11-28 15:24:37 UTC

*** This bug has been marked as a duplicate of bug 58660 ***
Comment 2 Konstantin Kolinko 2015-11-29 12:01:10 UTC
(In reply to Alex Dushkin from comment #0)
> 7. Change path to http://localhost:8080/app - logged out!
> 
> Tomcat 8.0.28 just redirects back to index.

Tomcat 8.0.29 also redirects back to index
(your WEB-INF/notfound.jsp does the redirection).

So you reproduction scenario does not work.
Tested with Mozilla Firefox 42.0

There is a bug in 8.0.29, but steps to reproduce it are a bit different.
See bug 58660 for a more complete description and a workaround.



BTW, your login.jsp submits to j_security_check instead of response.encodeURL("j_security_check"). It won't work if cookies are disabled.
Comment 3 Alex Dushkin 2015-11-29 12:24:11 UTC
(In reply to Konstantin Kolinko from comment #2)
> So you reproduction scenario does not work.
> Tested with Mozilla Firefox 42.0

It doesn't work in FF, but it works in Chrome (46.0.2490.86), Opera (33.0.1990.115), Edge (20.10240.16384.0).