About FORM based authentication

In the HFSJ book, it's mentioned as,

Note: If you're using Form-based authentication, be sure to turn on SSL or session tracking, or your Container might not recognize the login form when it's returned.

Why do we have to use SSL for this? I know, session tracking is need to track the user who asked the restricted resource. But, How do we use SSL for session tracking? SSL used for secure transmission. For session tracking?

Thanks...

SSL alone itself can be used for session tracking and secure transmission. Go in the specs and read the ways by which Container can perform session tracking

Hi Abimaran,

Note: If you're using Form-based authentication, be sure to turn on SSL or session tracking, or your Container might not recognize the login form when it's returned.

It is written in a rather difficult way, but read it like this:

If the container doesn't track sessions, the users can be asked to authenticate every time they request a URL which has a security-constraint (which is quite annoying).

SSL is used for secure transport, but it also comes with an extra feature of session tracking

SRV.7.1.2 SSL Sessions
Secure Sockets Layer, the encryption technology used in the HTTPS protocol, has a
built-in mechanism allowing multiple requests from a client to be unambiguously
identified as being part of a session. A servlet container can easily use this data to
define a session.

Regards,
Frits