jrobey, I think I found the problem:
The FormAuthenticator saves the original request, including its cookies, in the newly created session, so the original request can later be resumed after the client has been authenticated. In your case, the original request contains a cookie that references an expired (or otherwise invalidated) session.
When the request is resumed, it is populated with all aspects of the original request, including its cookies, which, in your case, reference an expired session.
The FormAuthenticator should not blindly restore the cookies from the original request onto the resumed request. Instead, it should replace the JSESSIONID cookie (if one was present) of the original request with the JSESSIONID of the active session.
Can you please file an issue in the GlassFish IssueTracker?
Thanks!
Jan
[Message sent by forum member 'jluehe' (jluehe)]
http://forums.java.net/jive/thread.jspa?messageID=299735