diff -up ./java/org/apache/catalina/authenticator/AuthenticatorBase.java.orig ./java/org/apache/catalina/authenticator/AuthenticatorBase.java
--- ./java/org/apache/catalina/authenticator/AuthenticatorBase.java.orig	2020-04-24 11:29:17.047848947 -0400
+++ ./java/org/apache/catalina/authenticator/AuthenticatorBase.java	2020-04-24 11:36:59.943955494 -0400
@@ -854,10 +854,11 @@ public abstract class AuthenticatorBase
         }
 
         // Cache the authentication information in our session, if any
-        if (cache) {
-            if (session != null) {
+        if (session != null) {
+            if (cache) {
                 session.setAuthType(authType);
                 session.setPrincipal(principal);
+            } else {
                 if (username != null)
                     session.setNote(Constants.SESS_USERNAME_NOTE, username);
                 else
diff -up ./java/org/apache/catalina/authenticator/Constants.java.orig ./java/org/apache/catalina/authenticator/Constants.java
--- ./java/org/apache/catalina/authenticator/Constants.java.orig	2020-04-24 11:29:23.513836466 -0400
+++ ./java/org/apache/catalina/authenticator/Constants.java	2020-04-24 11:37:43.381871646 -0400
@@ -119,7 +119,10 @@ public class Constants {
 
     /**
      * The previously authenticated principal (if caching is disabled).
+     *
+     * @deprecated Unused. Will be removed in Tomcat 10.
      */
+    @Deprecated
     public static final String FORM_PRINCIPAL_NOTE =
         "org.apache.catalina.authenticator.PRINCIPAL";
 
diff -up ./java/org/apache/catalina/authenticator/FormAuthenticator.java.orig ./java/org/apache/catalina/authenticator/FormAuthenticator.java
--- ./java/org/apache/catalina/authenticator/FormAuthenticator.java.orig	2020-04-24 11:29:30.865822275 -0400
+++ ./java/org/apache/catalina/authenticator/FormAuthenticator.java	2020-04-24 11:41:51.489392742 -0400
@@ -149,10 +149,6 @@ public class FormAuthenticator
                                 LoginConfig config)
         throws IOException {
 
-        if (checkForCachedAuthentication(request, response, true)) {
-            return (true);
-        }
-
         // References to objects we will need later
         Session session = null;
         Principal principal = null;
@@ -174,11 +170,8 @@ public class FormAuthenticator
                 principal =
                     context.getRealm().authenticate(username, password);
                 if (principal != null) {
-                    session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
+                    register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password);
                     if (!matchRequest(request)) {
-                        register(request, response, principal,
-                                HttpServletRequest.FORM_AUTH,
-                                 username, password);
                         return (true);
                     }
                 }
@@ -197,17 +190,6 @@ public class FormAuthenticator
                           + session.getIdInternal()
                           + "'");
             }
-            principal = (Principal)
-                session.getNote(Constants.FORM_PRINCIPAL_NOTE);
-            register(request, response, principal, HttpServletRequest.FORM_AUTH,
-                     (String) session.getNote(Constants.SESS_USERNAME_NOTE),
-                     (String) session.getNote(Constants.SESS_PASSWORD_NOTE));
-            // If we're caching principals we no longer need the username
-            // and password in the session, so remove them
-            if (cache) {
-                session.removeNote(Constants.SESS_USERNAME_NOTE);
-                session.removeNote(Constants.SESS_PASSWORD_NOTE);
-            }
             if (restoreRequest(request, session)) {
                 if (log.isDebugEnabled()) {
                     log.debug("Proceed to restored request");
@@ -222,6 +204,12 @@ public class FormAuthenticator
             }
         }
 
+        // This check has to be after the previous check for a matching request
+        // because that matching request may also include a cached Principal.
+        if (checkForCachedAuthentication(request, response, true)) {
+            return true;
+        }
+
         // Acquire references to objects we will need to evaluate
         MessageBytes uriMB = MessageBytes.newInstance();
         CharChunk uriCC = uriMB.getCharChunk();
@@ -314,12 +302,7 @@ public class FormAuthenticator
             return (false);
         }
 
-        // Save the authenticated Principal in our session
-        session.setNote(Constants.FORM_PRINCIPAL_NOTE, principal);
-
-        // Save the username and password as well
-        session.setNote(Constants.SESS_USERNAME_NOTE, username);
-        session.setNote(Constants.SESS_PASSWORD_NOTE, password);
+        register(request, response, principal, HttpServletRequest.FORM_AUTH, username, password);
 
         // Redirect the user to the original request URI (which will cause
         // the original request to be restored)
@@ -489,7 +472,7 @@ public class FormAuthenticator
     }
 
       // Is there a saved principal?
-      if (session.getNote(Constants.FORM_PRINCIPAL_NOTE) == null) {
+    if (cache && session.getPrincipal() == null || !cache && request.getPrincipal() == null) {        
         return (false);
     }
 
@@ -518,7 +501,6 @@ public class FormAuthenticator
         SavedRequest saved = (SavedRequest)
             session.getNote(Constants.FORM_REQUEST_NOTE);
         session.removeNote(Constants.FORM_REQUEST_NOTE);
-        session.removeNote(Constants.FORM_PRINCIPAL_NOTE);
         if (saved == null) {
             return (false);
         }