KB Article #177215

How to validate sessions created by the HTTP Form-Based Authentication Filter

Problem

* When using the HTTP Form-based Authentication filter, the VIDUSR cookie does not appear to be contained inside the HTTP Sessions cache.

Resolution

-- When you choose to create a session, the HTTP Form-based Authentication filter creates a session cookie and stores the value of it into the default HTTP Sessions cache. The problem arises because the cached entries are strings like 1435628054-8KF/9W0eIDXdAw==, but when you call Get Cookie and look at cookie.VIDUSR.value you will find that this has become 1435628054-8KF%2F9W0eIDXdAw%3D%3D, so if you use Is Cached? on cookie.VIDUSR.value and the HTTP Sessions cache, it will fail.

The fix is to decode the cookie value prior to sending it to the Is Cached? filter. Additionally, some may want to obtain the cookie value being output by the HTTP Form-based Authentication filter so that they can put it into a distributed cache. This can be done by calling Set Attribute right after the authentication filter and putting the value of http.client.getCookie("VIDUSR") into an attribute.

Please refer to the attached policy extract in the sidebar for further demonstration. To use, import the attached policy extract and visit /login to start the authentication flow. Note that this sample is not intended for production use. In particular, the export includes a test user that it puts into the local user store as part of the demonstration.