HttpServletRequest.login(username, password) not creating HttpSession if it doesn't already exist. (Elytron) ------------------------------------------------------------------------------------------------------------ Key: WFLY-9561 URL: https://issues.jboss.org/browse/WFLY-9561 Project: WildFly Issue Type: Bug Components: Security, Web (Undertow) Affects Versions: 11.0.0.Final Reporter: Stanislav Grushevskiy Assignee: Darran Lofthouse Fix For: 13.0.0.Beta1 Attachments: test.zip If Elytron security domain (in WildFly 11, default "standalone.xml") is used for programmatic login, cookie "JSESSIONID" is not set in response. So following requests are sent without "JSESSIONID". @Path("login") public class LoginService { @Context private HttpServletRequest request; @POST public void login(LoginForm form) throws ServletException { request.login(form.getLogin(), form.getPassword()); } } <?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain>application-security-domain</security-domain> </jboss-web> If I add manual interaction with Session in login method, "JSESSIONID" is set. OR If I delete "jboss-web.xml" and default old "ApplicationRealm" is used, "JSESSIONID" is set. "JSESSIONID" is set in WildFly 10.0.0.Final and in 10.1.0.Final, because there is no Elytron there and "ApplicationRealm" is used. Test project is attached, create application user (add-user.sh) with username "wildfly" and password "wildfly". Run "mvn wildfly:deploy". Go to http://localhost:8080/test/test.html and press "Login" button and then "Check Auth". In this project you can uncomment code below (// uncomment the row below to get it working with elytron) to add session interaction or comment code below (<!-- comment the row below to use default ApplicationRealm from old security system, not elytron -->) to use old "ApplicationRealm".