Created attachment 33309 [details] Simple web application 1. Unpack http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.29/bin/apache-tomcat-8.0.29.zip 2. Uncomment users and roles in conf/tomcat-users.xml 3. Start Tomcat 4. Unpack and deploy the attached webapp "app" (jsp only) 5. Open the webapp page: http://localhost:8080/app/index 6. Login as tomcat/tomcat 7. Change path to http://localhost:8080/app - logged out! Tomcat 8.0.28 just redirects back to index.
*** This bug has been marked as a duplicate of bug 58660 ***
(In reply to Alex Dushkin from comment #0) > 7. Change path to http://localhost:8080/app - logged out! > > Tomcat 8.0.28 just redirects back to index. Tomcat 8.0.29 also redirects back to index (your WEB-INF/notfound.jsp does the redirection). So you reproduction scenario does not work. Tested with Mozilla Firefox 42.0 There is a bug in 8.0.29, but steps to reproduce it are a bit different. See bug 58660 for a more complete description and a workaround. BTW, your login.jsp submits to j_security_check instead of response.encodeURL("j_security_check"). It won't work if cookies are disabled.
(In reply to Konstantin Kolinko from comment #2) > So you reproduction scenario does not work. > Tested with Mozilla Firefox 42.0 It doesn't work in FF, but it works in Chrome (46.0.2490.86), Opera (33.0.1990.115), Edge (20.10240.16384.0).