-
Bug
-
Resolution: Fixed
-
Medium
-
0.7.20
-
None
-
JDK 1.4.2, Tomcat 5.5.25
-
false
If a Filter prior to LoginFilter/SecurityFilter creates a session with request.getSession(), then cookie-based autologin will fail.
This is because DefaultAuthenticator.getUser(request, response) tests for an existing session. Upon finding one, it assumes that this session was created by Seraph and looks for the user. If it finds none, then it skips cookie auth and tries basic auth.
It would be better to try cookie auth if no sessionUser is found and not assume the existence of a session means Seraph had a go at the authentication already.