I deliberately attempted used an incorrect password for an app running under Tomcat using BASIC authentication. Now I am always being denied access to the web page without being given the chance to login again despite turning the server off and on. Can someone explain this behavior? Was there a security cookie used by Tomcat? If so, is there a time limit on it?