The user gets three authentication retries because the
Maximum Macro Loop
is set to
. Because the
is blank, the subroutine can create only one distinct subsession. While the
subsession exists, if the user makes another request that matches the application area, the user
is not challenged again for authentication.