Solution: JSESSIONID, two web applications, and MSIE
Under certain circumstances, a web application at a subdomain can interfere with one at the root domain, because of a confusion over session cookies. This bug/issue most strongly affects the Microsoft Internet Explorer (MSIE) browser, up to at least version 6.0.2800. Here's the scenario:
Not all web applications are vulnerable. Tomcat looks to see if the JSESSIONID is valid, and if not it keeps looking until it either finds a valid key, or runs out of cookies. Other servlet containers and web applications may not be so well thought out.
The solutions are not always easy. Unless you switch environment, you may not be able to change the name of the session cookie (For example, JSESSIONID is part of the Java J2EE specification). But you can force all visitors to www.domain.org, rather than domain.org.
This issue is known to affect systems using a mix of: WebSphere, Tomcat, Resin, frameworks such as struts, and just about any two applications that share the same name for the session cookie.
Written April 2006, by Bryce Nesbitt, www.obviously.com (Yes, we found out the hard way)