Look at supporting web session password update for password change ------------------------------------------------------------------ Key: JBAS-2845 URL: http://jira.jboss.com/jira/browse/JBAS-2845 Project: JBoss Application Server Issue Type: Feature Request Security Level: Public(Everyone can see) Components: Web (Tomcat) service, Security Reporter: Scott M Stark Assigned To: Anil Saldhana Fix For: JBossAS-4.2.1.CR1 A common problem for form authentication is wanting to have a password change feature that does not require a logout/login cycle to update the session id/password association. We need to look into whether there is a secure way to support updating the session password to avoid this.