JwtSessionModule is setting Max-Age cookie attribute to negative value to mark it as a session cookie. This is in line with ServletJwtSessionModule that does the same, however CHF Cookie API is not the same as javax.servlet Cookie API in a sense that negative Max-Age will automatically expire the cookie.
JwtSessionModule needs to handle negative max-age according to AbstractJwtSessionModule#getCookieMaxAge's contract.
JwtSessionModuleis setting Max-Age cookie attribute to negative value to mark it as a session cookie. This is in line withServletJwtSessionModulethat does the same, however CHF Cookie API is not the same as javax.servlet Cookie API in a sense that negative Max-Age will automatically expire the cookie.JwtSessionModuleneeds to handle negative max-age according toAbstractJwtSessionModule#getCookieMaxAge's contract.This issue breaks Wren:IDM's authentication.