In testing I found that the JSESSIONIDSSO was not re-created upon re-authentication via logout() and login(username,password) in the same request. The problem stemmed from the REQ_SSOID_NOTE that was was not reset upon request.logout(), whereas the documentation indicates that a logout() from any web-app should logout() from all web-apps. When the REQ_SSOID_NOTE is not removed upon logout(), a subsequent login(username,password) on the same request will re-create a JSESSIONID for the current web-app but fails to re-create a JSESSIONIDSSO since the REQ_SSO_ID_NOTE still lingers on the request. AuthenticatorBase.java adjustment for logout(request) that removes the REQ_SSOID_NOTE so that a subsequent login(username,password) will work on the same request: @Override public void logout(Request request) throws ServletException { register(request, request.getResponse(), null, null, null, null); request.removeNote(Constants.REQ_SSOID_NOTE); } I'll upload a diff-patch against the trunk and for 7.0.40.
Created attachment 30313 [details] Fix for Bug 54999 to ensure JSESSIONIDSSO can be re-created In the Bug comments I chose to @override the AuthenticatorBase logout(Request) but the more self-consistent place to patch this seems to be in AuthenticatorBase.register(Request,...) that I've done here against the tc7.0.x/trunk/tc7.0.x/java/org/apache/catalina/authenticator/AuthenticatorBase.java.
Thanks for the report, analysis and patch. It all looks good to me. I have applied the patch to trunk and 7.0.x and the fix will be included in 7.0.41 onwards.