If you have multiple webapps in one (wildfly) ear each app registers its own SessionCookieConfig instance with the related path. ( In our case one under root "/" and one under "/theapp".
While logging in in 2 browser tabs 2 JSESSIONID cookies with different path are created.
But preceding calls of "/theapp"-APP returns the wrong sessionid ( the one of "/" ).
So all those calls to protected resources under "/theapp" fails dues to "no session attached"
To get the sessionId the system calls "getRequestCookie()" on HttpServerExchange with this impl:
So I think the path must be checked here as well, or?