the Glassfish FormAuthenticator was enhanced to effectively enforce
user-data-constraints on the login page.
we should now take the additional steps of delaying any session creation by the
FormAuthenticator until after the enforcement of any user-data-constraint on the
This will ensure that the session cookie will be acquired under https if the
login page is secure; which will ensure that browsers will know that the cookie
is not to be sent over an unprotected transport.
This change has security merits but may cause pre-existing applications to
break. As such, we may need to make it possible for an app to select or revert
to the prior functionality.