4

Background

I have two webshpere apps

(installed on two separate profiles, and both the ports and context roots are different)

Scenario

  • When logging into app1, users get a JSESSIONID cookie X
  • When logging into app2 in another browser tab (IE8) user gets a JESSSIONID cookie Y

Problem

  • When logging into app2, the JSESSIONID cookie value Y overwrites the value X, thus invalidation the session of app1 (user is thrown back to login page if they do anything)

Question

  • Is that the default behavior? it looks weird that two web apps can share a JSESSIONID cookie
  • Is there a way to configure the two web apps to have JSESSIONID cookie isolation?
Eran Medan
  • 173
  • 1
  • 1
  • 8

4 Answers4

2

Those two apps are unaware of each other since they're in separate profiles. So I expect the second one sees a session ID it doesn't recognize, assumes it's an expired one, and creates a new one.

You can change one of the application's cookie name to something other than JSESSIONID or you can change its path so that it is only sent back for /app1 or /app2.

Either server-wide under Servers > Server name > Session Management > Enable Cookies or for the particular application(s) under Enterprise Applications > Application name > Session Management > Enable Cookies. If you choose the latter, you have to also check Override session management.

dbreaux
  • 301
  • 1
  • 7
2

May be you should set an application specific cookie path so that you restrict the URL a cookie will be sent.

This can be done by enabling Override session management in Enterprise Applications > AppName > Session management and choose Enable cookies > Cookie path > Set cookie path to be equal to the context root of the application e.g. equal to app1 or app2.

To my opinion this is the most preferable way to isolate cookies from apps running in the same host.

trikelef
  • 488
  • 1
  • 7
  • 26
2

There is an alternate (AIUI, preferred?) solution to changing the cookie name or adding a path component -- you can configure both applications to re-use the incoming session ID and base the created session around it.

http://www-01.ibm.com/support/docview.wss?uid=swg21210881

covener
  • 1,665
  • 9
  • 15
  • Good link @covener. That technique specifically mentions multiple nodes in the same domain. I'm wondering if it also works across multiple profiles. I'm also wondering if that means that visiting with an old, expired session ID causes that ID to be reused anyway... – dbreaux Jan 30 '13 at 14:39
0

i had same issue in my environment. Inspite of changing cookie path in both the application's, i had changed only one application cookie path and enabled override session management. issue got resolved after making the change.

siva reddy kandula
  • 1