Following is an update to the issue:
When you try to access a FORM protected resource ("original request") after your session has expired or has been invalidated, the container's FormAuthenticator will create a new session [NEW], and include its JSESSIONID in the response that contains a redirect to the login page.
All aspects of the "original request", including the cookie with the invalid JSESSIONID, are stored in the new session, so they can later be restored.
When accessing the login page, the client includes a cookie with the JSESSIONID of the new session in the request.
Once the client has been authenticated, the container will issue a redirect to the original request URL. When the client follows this redirect, it will again include a cookie with the JSESSIONID of the new session with the request.
When the FormAuthenticator receives this request, it will clear all its properties (including cookies) [CLEAR], and restore on it all the properties (including the cookie with the invalid JSESSIONID) from the "original request".
Therefore, if you call
HttpServletRequest.getCookies()
from within your protected resource, you will receive the JSESSIONID of the invalid session.
However, if you call
HttpServletRequest.getSession(false)
you will get the new session that was established by the FormAuthenticator in [NEW]. This is because before the request is passed to the FormAuthenticator, the container will have already parsed the JSESSIONID (of the valid session) before it was cleared in [CLEAR] and replaced with the invalid JSESSIONID.
Jan
[Message sent by forum member 'jluehe' (jluehe)]
http://forums.java.net/jive/thread.jspa?messageID=299899