Solution: JSESSIONID, two web applications, and MSIE

Under certain circumstances, a web application at a subdomain can interfere with one at the root domain, because of a confusion over session cookies. This bug/issue most strongly affects the Microsoft Internet Explorer (MSIE) browser, up to at least version 6.0.2800. Here's the scenario:

  • A user logs into a session at domain.org (not www.domain.org). This user gets a session cookie which (surprise!) can be read by any subdomain of domain.org.
  • The same user links to a second application at subdomain.domain.org.
  • The user logs in, thus setting a second session cookie. This login will work!
  • But trouble is just ahead; the moment the user browses anywhere, the application may fail. MSIE returns the domain.org session cookie first, not the subdomain.domain.org cookie.

Not all web applications are vulnerable. Tomcat looks to see if the JSESSIONID is valid, and if not it keeps looking until it either finds a valid key, or runs out of cookies. Other servlet containers and web applications may not be so well thought out.

The solutions are not always easy. Unless you switch environment, you may not be able to change the name of the session cookie (For example, JSESSIONID is part of the Java J2EE specification). But you can force all visitors to www.domain.org, rather than domain.org.

This issue is known to affect systems using a mix of: WebSphere, Tomcat, Resin, frameworks such as struts, and just about any two applications that share the same name for the session cookie.

Written April 2006, by Bryce Nesbitt, www.obviously.com (Yes, we found out the hard way)

  Valid HTML 4.01 Strict