Form authentication provides single use Cookie
vijayvenkatsr Feb 13, 2017 6:31 PMHi,
Have a war deployed on Wildfly 10.1 using Form Authentication.
On authenticating against the <Application URL>/j_security_check with user name and password, a cookie is returned in the response header:
Authentication cookie:-- Set-Cookie: JSESSIONID=xxxxxxxxxxxxxxxxxxxxxx0LeRx7tn; path=/testserver
The cookie when attached to the header of an application request works only for the first request
GET <Application URL> HTTP/1.1
DataServiceVersion: 1.0;NetFx
MaxDataServiceVersion: 3.0;NetFx
Accept: application/atom+xml,application/xml
Accept-Charset: UTF-8
User-Agent: Microsoft ADO.NET Data Services
Cookie: JSESSIONID=xxxxxxxxxxxxxxxxxxxxxx0LeRx7tn; path=/testserver
And the response of this request also holds another cookie
First Request cookie:--Set-Cookie: JSESSIONID=yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyEGiIZd; path=/testserver
When the "Authentication cookie" is used on the second request to the application, it returns the "login page" defined in the web.xml.
Whereas, using the "First Request cookie" in the second and subsequent requests to the application leads to responses as expected.
web.xml
<login-config> | |||
<auth-method>FORM</auth-method> | |||
<realm-name>TESTRealm</realm-name> | |||
<form-login-config> | |||
<form-login-page>/login.jsp</form-login-page> | |||
<form-error-page>/error_401.jsp</form-error-page> | |||
</form-login-config> | |||
</login-config> |
jboss-web.xml
<security-domain>java:/jaas/test-security-domain</security-domain>
standalone.xml
<security-domain name="test-security-domain" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="hashAlgorithm" value="MD5"/>
</login-module>
</authentication>
</security-domain>
Please help me with an explanation behind this behavior and how I can go about resolving it so that the Authentication cookie can be used with all requests.
Thanks in advance.
Vijay