Multiple Service Providers with same session cookie name

This topic has 1 reply, 2 voices, and was last updated 6 years, 3 months ago by Guillaume Sauthier.

  • Author
    Posts
  • #10326
     sundar_ssp
    Participant

    Hello,

    I’m protecting multiple service provider applications (Java & .NET) with OpenIG using SAMLFederationHandler. All these applications are currently hosted separately without OpenIG. But we would like to host using same domain like www.example.com/app1, www.example.com/app2 etc.

    Some service providers are Java and some are .NET applications. All java applications use the default JSESSIONID as the session cookie and .NET uses .ASPXAUTH as session cookie.

    OpenIG setup works fine except for one issue. Per my configuration, all the cookies are propagated to the browser without any changes. When I log into second java application the JSESSIONID cookie overwrites the first java application’s JSESSIONID cookie. So when I go back and browse the first java application, it throws me out because of invalid session.

    I believe that if we have different sub-domain names for each application this problem won’t happen. But I’m trying to figure out whether I can have single domain name. I thought the CookieFilter will help and configured it to suppress sending it to the browser cookie, but unfortunately the session maintained by OpenIG in the backend also overwrites the cookie. Seems the cookie manager is also common. It doesn’t maintain separate session based on sessionIndexMapping.

    My CookieFilter is like this.

    {
    	"name": "CookieFilter",
    	"type": "CookieFilter",
    	"config": {
    	"managed": [
    		"JSESSIONID"
    	],
    	"suppressed": [
    		"JSESSIONID"
    	],
    		"defaultAction": "MANAGE"
    	}
    }
    

    My question is – Is there a way to handle same session cookie name, apart from renaming the cookie on the application server side or having separate sub-domain names?

    I couldn’t fine any related posts in the forum. Please help.

    #10357

    So, you would like to have your OpenIG acting a a single SP for all the protected application ?
    I mean, you authenticate only once and then you have SSO working for the apps.

    BTW, do you have to authenticate against each of the applications ?

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?