This topic has 1 reply, 2 voices, and was last updated 6 years, 3 months ago by 
-
Posts
-
Hello,
I’m protecting multiple service provider applications (Java & .NET) with OpenIG using
SAMLFederationHandler. All these applications are currently hosted separately without OpenIG. But we would like to host using same domain likewww.example.com/app1,www.example.com/app2etc.Some service providers are Java and some are .NET applications. All java applications use the default
JSESSIONIDas the session cookie and .NET uses.ASPXAUTHas session cookie.OpenIG setup works fine except for one issue. Per my configuration, all the cookies are propagated to the browser without any changes. When I log into second java application the
JSESSIONIDcookie overwrites the first java application’sJSESSIONIDcookie. So when I go back and browse the first java application, it throws me out because of invalid session.I believe that if we have different sub-domain names for each application this problem won’t happen. But I’m trying to figure out whether I can have single domain name. I thought the CookieFilter will help and configured it to suppress sending it to the browser cookie, but unfortunately the session maintained by OpenIG in the backend also overwrites the cookie. Seems the cookie manager is also common. It doesn’t maintain separate session based on
sessionIndexMapping.My
CookieFilteris like this.{ "name": "CookieFilter", "type": "CookieFilter", "config": { "managed": [ "JSESSIONID" ], "suppressed": [ "JSESSIONID" ], "defaultAction": "MANAGE" } }My question is – Is there a way to handle same session cookie name, apart from renaming the cookie on the application server side or having separate sub-domain names?
I couldn’t fine any related posts in the forum. Please help.
You must be logged in to reply to this topic.
