My team is responsible for developing network monitoring software that uses Jetty for our user interface. We have recently upgraded from Jetty 9.3.0.v20150612 to 9.4.2.v20170220, which of course had major changes in the session management. The only required changes that we saw necessary were replacing the old HashSessionIdManager with the new DefaultSessionIdManager, and removing the old HashSessionManager since it no longer exists. We are also using a HashLoginService for authentication.
Unfortunately, after this upgrade our authentication mechanism no longer works. The login screen appears correctly when the realm file is present, and debugging the process shows that inputting the correct username and password does return a 303 as expected from the authentication endpoint, but once Jetty redirects to our user interface's homepage, the user is once again redirected to the login screen because the homepage returned a 303 as well. No error is encountered and the JSESSIONID cookie is stored as if things were working as expected, so I am hoping someone more familiar with the product may have some insight as to what could cause this. Again, everything worked fine before the Jetty upgrade.