diff -up ./java/org/apache/catalina/authenticator/AuthenticatorBase.java.orig ./java/org/apache/catalina/authenticator/AuthenticatorBase.java

--- ./java/org/apache/catalina/authenticator/AuthenticatorBase.java.orig	2020-04-24 11:29:17.047848947 -0400

+++ ./java/org/apache/catalina/authenticator/AuthenticatorBase.java	2020-04-24 11:36:59.943955494 -0400

@@ -854,10 +854,11 @@ public abstract class AuthenticatorBase

         }

         // Cache the authentication information in our session, if any

-        if (cache) {

-            if (session != null) {

+        if (session != null) {

+            if (cache) {

                 session.setAuthType(authType);

                 session.setPrincipal(principal);

+            } else {

                 if (username != null)

                     session.setNote(Constants.SESS_USERNAME_NOTE, username);

                 else

diff -up ./java/org/apache/catalina/authenticator/Constants.java.orig ./java/org/apache/catalina/authenticator/Constants.java

--- ./java/org/apache/catalina/authenticator/Constants.java.orig	2020-04-24 11:29:23.513836466 -0400

+++ ./java/org/apache/catalina/authenticator/Constants.java	2020-04-24 11:37:43.381871646 -0400

@@ -119,7 +119,10 @@ public class Constants {

     /**

      * The previously authenticated principal (if caching is disabled).

+     *

+     * @deprecated Unused. Will be removed in Tomcat 10.

      */

+    @Deprecated

     public static final String FORM_PRINCIPAL_NOTE =

         "org.apache.catalina.authenticator.PRINCIPAL";

diff -up ./java/org/apache/catalina/authenticator/FormAuthenticator.java.orig ./java/org/apache/catalina/authenticator/FormAuthenticator.java

--- ./java/org/apache/catalina/authenticator/FormAuthenticator.java.orig	2020-04-24 11:29:30.865822275 -0400

+++ ./java/org/apache/catalina/authenticator/FormAuthenticator.java	2020-04-24 11:41:51.489392742 -0400

@@ -149,10 +149,6 @@ public class FormAuthenticator

                                 LoginConfig config)

         throws IOException {

-        if (checkForCachedAuthentication(request, response, true)) {

-            return (true);

-        }

-

         // References to objects we will need later

         Session session = null;

         Principal principal = null;

@@ -174,11 +170,8 @@ public class FormAuthenticator

                 principal =

                     context.getRealm().authenticate(username, password);

                 if (principal != null) {

-                    session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);

+                    register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password);

                     if (!matchRequest(request)) {

-                        register(request, response, principal,

-                                HttpServletRequest.FORM_AUTH,

-                                 username, password);

                         return (true);

                     }

                 }

@@ -197,17 +190,6 @@ public class FormAuthenticator

                           + session.getIdInternal()

                           + "'");

             }

-            principal = (Principal)

-                session.getNote(Constants.FORM_PRINCIPAL_NOTE);

-            register(request, response, principal, HttpServletRequest.FORM_AUTH,

-                     (String) session.getNote(Constants.SESS_USERNAME_NOTE),

-                     (String) session.getNote(Constants.SESS_PASSWORD_NOTE));

-            // If we're caching principals we no longer need the username

-            // and password in the session, so remove them

-            if (cache) {

-                session.removeNote(Constants.SESS_USERNAME_NOTE);

-                session.removeNote(Constants.SESS_PASSWORD_NOTE);

-            }

             if (restoreRequest(request, session)) {

                 if (log.isDebugEnabled()) {

                     log.debug("Proceed to restored request");

@@ -222,6 +204,12 @@ public class FormAuthenticator

             }

         }

+        // This check has to be after the previous check for a matching request

+        // because that matching request may also include a cached Principal.

+        if (checkForCachedAuthentication(request, response, true)) {

+            return true;

+        }

+

         // Acquire references to objects we will need to evaluate

         MessageBytes uriMB = MessageBytes.newInstance();

         CharChunk uriCC = uriMB.getCharChunk();

@@ -314,12 +302,7 @@ public class FormAuthenticator

             return (false);

         }

-        // Save the authenticated Principal in our session

-        session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);

-

-        // Save the username and password as well

-        session.setNote(Constants.SESS_USERNAME_NOTE, username);

-        session.setNote(Constants.SESS_PASSWORD_NOTE, password);

+        register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password);

         // Redirect the user to the original request URI (which will cause

         // the original request to be restored)

@@ -489,7 +472,7 @@ public class FormAuthenticator

     }

       // Is there a saved principal?

-      if (session.getNote(Constants.FORM_PRINCIPAL_NOTE) == null) {

+    if (cache && session.getPrincipal() == null || !cache && request.getPrincipal() == null) {        

         return (false);

     }

@@ -518,7 +501,6 @@ public class FormAuthenticator

         SavedRequest saved = (SavedRequest)

             session.getNote(Constants.FORM_REQUEST_NOTE);

         session.removeNote(Constants.FORM_REQUEST_NOTE);

-        session.removeNote(Constants.FORM_PRINCIPAL_NOTE);

         if (saved == null) {

             return (false);

         }