[
https://issues.apache.org/jira/browse/SLING-10290?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17339332#comment-17339332
]
Eric Norman commented on SLING-10290:
-------------------------------------
It looks like the problem with the cookie refresh logic is that
FormAuthentiactionHandler#getCookieAuthData is looking for the authData in a
different place than where FormAuthenticationHandler#createAuthInfo has stored
it when jaasHelper is enabled.
I've created [PR
#1|https://github.com/apache/sling-org-apache-sling-auth-form/pull/1] with a
proposed fix for review. I'll merge the PR to the mainline in a few days if
there is no negative feedback to the changes.
> Every request renews sling.formauth token
> -----------------------------------------
>
> Key: SLING-10290
> URL: https://issues.apache.org/jira/browse/SLING-10290
> Project: Sling
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Form Based Authentication 1.0.20
> Reporter: Cris Rockwell
> Assignee: Eric Norman
> Priority: Critical
> Attachments: image-2021-04-09-14-19-17-509.png
>
>
> When using Apache Sling Form Based Authentication Handler
> Every request and subrequest sets a new value for `sling.formauth`
> Analyzing the code indicates that it not the intended behavior,
> and the cookie value of `sling.formauth` should be consistent for 30 minutes
> according to the default value of form.auth.timeout
> Debugging shows that the method
> [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519]
> always returns null.... AuthenticationInfo properties are
> user.jcr.credentials, sling.authType and user.name. But this is not a
> property called sling.formauth
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
