After upgrade from 14.3 to 14.4 when we navigate through the user application in the browser, the public tasks for Self Registration / Forgot UserID is generating a malformed URI with a missing index.jsp, and extraneous semicolon and jsession cookie on the URL line.

On 14.3 URL:

https://<hostname>/iam/im/yourimenv/ui7/index.jsp?facesViewId=/app/page/screen/fp_identify_user.jsp

On 14.4 URL:

https://<hostname>/im/yourimenv/ui7/;jsessionid=02Z0gBdm#########_o6wwnfc9_xLuMa.<hostname>?facesviewId=/app/page/profile/profile.jsp

The Web Application Firewall blocks this because it identifies it as "authentication bypass vulnerability via semicolon" citing vulnerability CVE-2020-13933 related to something called Apache Shiro.

How to fix the malformed URL in 14.4, assuming that jsessionid cookie and semicolon shouldn't be on the URL line and index.jsp should be there after /ui7/. 

Release : Identity Manager 14.4 EAP 7.4

This is due to misconfiguration on Jboss

Under iam_im.ear/user_console.war/WEB-INF modify web.xml

<session-config>
    <session-timeout>60</session-timeout>
    <cookie-config>
        <http-only>true</http-only>
        <secure>true</secure>
    </cookie-config>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>