The login servlet was extended with 2 new possible login requests. Those new requests required some configuration parameters.

The file contains the following new configuration parameters:

com.openexchange.ajax.login.http-auth.autologin Configures if some user is able to reenter his existing session after closing the browser tab or the complete browser. Setting this to true may be a security risk for clients running on unsafe computers, therefore the default is false. If this is configured to true, check that the parameter client contains the same identifier the UI sends as client parameter on normal login request. Otherwise the backend will not be able to rediscover the users session after closing the browser tab. This parameter only applies to the HTTP authorization based login request.

com.openexchange.ajax.login.http-auth.client Every client tells the backend through the client parameter on the login request his identy. This is not possible when using the HTTP authorization header based login. So the client identifier for that request is defined here. It must be the same identifier that the web frontend uses, if you set com.openexchange.cookie.hash to calculate and want the previously configured autologin to work. So the default is the same identifier as the web frontend sents.

com.openexchange.ajax.login.http-auth.version The version of the client when using the HTTP authorization header based login. This should not be the normal web frontend version because a different version can be used to distinguish logins through HTTP authorization header and normal login request. So the default is HTTP