If Elytron security domain (in WildFly 11, default "standalone.xml") is used for programmatic login, cookie "JSESSIONID" is not set in response. So following requests are sent without "JSESSIONID".

@Path("login")

public class LoginService {

    @Context

    private HttpServletRequest request;

    @POST

    public void login(LoginForm form) throws ServletException {

        request.login(form.getLogin(), form.getPassword());

    }

}

<?xml version="1.0" encoding="UTF-8"?>

<jboss-web>

    <security-domain>application-security-domain</security-domain>

</jboss-web>

If I add manual interaction with Session in login method, "JSESSIONID" is set.

OR

If I delete "jboss-web.xml" and default old "ApplicationRealm" is used, "JSESSIONID" is set.

"JSESSIONID" is set in WildFly 10.0.0.Final and in 10.1.0.Final, because there is no Elytron there and "ApplicationRealm" is used.

Test project is attached, create application user (add-user.sh) with username "wildfly" and password "wildfly".

Run "mvn wildfly:deploy".

Go to http://localhost:8080/test/test.html and press "Login" button and then "Check Auth".

In this project you can uncomment code below (//   uncomment the row below to get it working with elytron) to add session interaction or comment code below (<!-- comment the row below to use default ApplicationRealm from old security system, not elytron -->) to use old "ApplicationRealm".