There is no clue what is the session timeout in Knox.
When a user authenticates to Knox, a session is created in Knox and a JSESSIONID cookie is returned to the client.
But, there is no clue how long this session is valid.
We should allow customers to set different session timeouts.
At the minimum, we should add
<!-- web.xml expects the session timeout in minutes: -->
in the web.xml created by deployment.