For most of my apps at work, we use FORM-based authentication and a lot of session data. When a session times out, my apps successfully redirect the user to the login form and the user is successfully authenticated. My problem is that the redirect after authentication uses the expired session ID giving my users the ugly error page complaining about an invalid/expired session. I would much rather the expired session ID be ignored from the POST or GET request and for a new session ID to be generated and used after the authentication.
We are using JSF and AJAX (sometimes through Richfaces) a lot, so I'm not sure if this is do to the form-based submission model we are using or not. Any help would be appreciated.
I don't think it matters, but we are using LDAP-based authentication. I'm attaching my code snippets from web.xml and index.jsp (a login sample) from one of our apps.
[Message sent by forum member 'jrobey' (jrobey)]
http://forums.java.net/jive/thread.jspa?messageID=299434