Re: [undertow-dev] CachedAuthenticatedSessionMechanism should return NOT_ATTEMPTED?

I think the problem here is if we return NOT_ATTEMPTED in some scenarios where a user was previously authenticated against a web app this could be quietly lost. Returning NOT_AUTHENTICATED on the other hand forces the challenge phase again. Is caching against the session really the correct approach for your mechanism? For a number of mechanisms caching against the session is actually a bad habit carried over from Tomcat, instead alternative caching should be employed to optimise subsequent authentication token validation. The places where we do need to cache against the session are for form based authentication mechanisms as not caching would result in a prompt to the user on every request, for other mechanisms where we have tokens coming from the browser we don't cache against the session. Regards, Darran Lofthouse. On 01/03/14 00:39, Bill Burke wrote: