0 Replies Latest reply on Feb 13, 2017 6:31 PM by vijayvenkatsr

    Form authentication provides single use Cookie

    vijayvenkatsr
    vijayvenkatsr Feb 13, 2017 6:31 PM

      Hi,

       

      Have a war deployed on Wildfly 10.1 using Form Authentication.

      On  authenticating against the <Application URL>/j_security_check with user name and password, a cookie is returned in the response header:

      Authentication cookie:-- Set-Cookie: JSESSIONID=xxxxxxxxxxxxxxxxxxxxxx0LeRx7tn; path=/testserver

       

      The cookie when attached to the header of an application request works only for the first request

      GET <Application URL> HTTP/1.1

      DataServiceVersion: 1.0;NetFx

      MaxDataServiceVersion: 3.0;NetFx

      Accept: application/atom+xml,application/xml

      Accept-Charset: UTF-8

      User-Agent: Microsoft ADO.NET Data Services

      Cookie: JSESSIONID=xxxxxxxxxxxxxxxxxxxxxx0LeRx7tn; path=/testserver

       

      And the response of this request also holds another cookie

      First Request cookie:--Set-Cookie: JSESSIONID=yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyEGiIZd; path=/testserver

       

      When the "Authentication cookie" is used on the second request to the application, it returns the "login page" defined in the web.xml.

      Whereas, using the "First Request cookie" in the second and subsequent requests to the application leads to responses as expected.

       

      web.xml

      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>TESTRealm</realm-name>
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/error_401.jsp</form-error-page>
      </form-login-config>
      </login-config>

       

      jboss-web.xml

      <security-domain>java:/jaas/test-security-domain</security-domain>

       

      standalone.xml

                      <security-domain name="test-security-domain" cache-type="default">

                          <authentication>

                              <login-module code="UsersRoles" flag="required">

                                  <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>

                                  <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>

                                  <module-option name="password-stacking" value="useFirstPass"/>

                                  <module-option name="hashAlgorithm" value="MD5"/>

                              </login-module>

                          </authentication>

                      </security-domain>

       

      Please help me with an explanation behind this behavior and how I can go about resolving it so that the Authentication cookie can be used with all requests.

      Thanks in advance.

       

      Vijay