Logging out of one application causes sessions to be destroyed in all other web applications -How to Fix?

1

I have two web applications deployed in a corporate environment on IE6/8: App A uses smart card authentication, App B is just standard authentication

When App A logs out/de-authenticates, it seems to destroy the sessions for App B and cause people to lose work and have to log back in again.

App B is based on Cold Fusion. Not sure what App A is based on.

I haven't got any further info - but if there are specific questions as to the nature of the applications please ask.

is there a solution that doesn't involve Citrix / Virtualisation / two PCs and a KVM switch? ;-)

Stevo

Posted 2011-03-16T11:28:12.513

Reputation: 121

Are they both running under the same domain? If so they could be sharing the same cookie and when you log out of one the cookie is destroyed. – Majenko – 2011-03-16T11:30:33.397

Answers

1

Make sure that your two applications have different names in your Application.cfm/cfc. ColdFusion uses the Application name (either set via cfapplication or this.name) to determine which application the user is currently logged into. If they have different names, you shouldn't have any issues.

Dan Short

Posted 2011-03-16T11:28:12.513

Reputation: 266

Hi Dan, I have no control over the configuration of either application - and only one of them is based upon Coldfusion, so it's not a coldfusion issue. When App A (not CF) de-authenticates it destroys all sessions for ALL web applications. presumably it's just wiping all cookies? – Stevo – 2011-03-16T11:56:41.443

As Matt said, if they're on the same domain, and App A destroys all cookies, then yes, it will destroy any ability for CF to track that user. Since you're not dealing two CF apps, and you don't have control over either code base, then you're really stuck on this one... This isn't a browser issue you can control, it's all server. – Dan Short – 2011-03-16T13:13:03.720

I'll check, but I don't think they are on the same domain as the apps are hosted by two different organisations... and when I say it destroys all cookies, I mean it destroys them for ALL sites that the web browser holds cookies for, not just ones that are hosted on our domain. – Stevo – 2011-03-16T13:39:37.487

That's contrary to everything I know about browsers and cookies. Cookies are inherently locked to the domain that creates them. For example, my blog can't access the cookies from your browsing session at "ilikestinkyfeet.com"... I can't even tell that you have cookies from that domain (a good thing for you I'd say :-). Now, if both applications are on same TLD (app1.domain.com and app2.domain.com), the cookies can be written so they're accessible across domains, but they should be able to hit any cookie not part of their domain structure. – Dan Short – 2011-03-17T12:51:13.740

And you would be correct. I went and had a look at the setup and App A is an installed desktop app with smartcard ID authentication. So when you pull out the smartcard it kills the sessions in the active browser. A workaround someone tried was to create a second instance of IE i.e. iexplore2.exe, but when that activated pop-ups (essential for App B) they launched in iexplore.exe. What a mess! I'm guessing that because it's a desktop app it's got access to anything it wants in the OS. So sounds like the only thing that'll fix it is some dev on App A. – Stevo – 2011-03-17T19:19:38.730

Asked: 2011-03-16T11:28:12.513

Viewed: 1 115 times

Active: 2011-06-30T08:32:47.273