After upgrade from 14.3 to 14.4 (14.5) when we navigate through the user application in the browser, the public tasks for Self Registration/Forgot UserID is generating a malformed URI with a missing index.jsp, and extraneous semicolon and jsession cookie on the URL line.

On 14.3/14.4 URL:

https://<hostname>/iam/im/yourimenv/ui7/index.jsp?facesViewId=/app/page/screen/fp_identify_user.jsp

On 14.4/14.5 URL:

https://<hostname>/im/yourimenv/ui7/;jsessionid=02Z0gBdm#########_o6wwnfc9_xLuMa.<hostname>?facesviewId=/app/page/profile/profile.jsp

The Web Application Firewall blocks this because it identifies it as "authentication bypass vulnerability via semicolon" citing vulnerability CVE-2020-13933 related to Apache Shiro.

How to fix the malformed URL in 14.4+, assuming that jsessionid cookie and semicolon shouldn't be on the URL line and index.jsp should be there after /ui7/. 

 Identity Manager 14.4/14.5 EAP 7.4. 

Caused by misconfiguration in JBoss.Wildfly.

Under iam_im.ear/user_console.war/WEB-INF modify web.xml

<session-config>
    <session-timeout>60</session-timeout>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>