login.jsp

LDEV-4901 Rewrite session invalidation mechanism
On WildFly 8 session invalidation mechanism had some bugs. Marek
introduced a workaround in LDEV-3413. The mechanism was adjusted in
LDEV-4293, especially in this commit
https://code.lamsfoundation.org/fisheye/changelog/lams-github?cs=131ce42e64069f574a2a4a9bc1e5c4be4918e5bb
Newer WildFly versions do not seem to have this bug. A part of
workaround was removed in LDEV-4696, but invalidation mechanism stayed
as if the bugs were still present. The mechanism introduced the problem
with timeouts. Now that the bugs seems to be gone, the invalidation
mechanism was rewritten to a more straightforward version which should
have been used from the start.

It is worth keeping in mind that when one user session is present and
another is being created (another browser, integration call, sysadmin's
LoginAs feature), then user gets authenticated, then old session gets
invalidated and the user gets authenticated AGAIN by WildFly using
cached credentials. Caching is so useful that we can not turn it off. It
means that, though, we need to keep login token generated by
LoginRequestServlet for longer than just first authentication, as we get
authentication call twice. Now we keep it until it is timed out.