0

I'm trying to understand the uniqueness and scope of a JSessionId, as it relates across multiple, unreleated domains.

I've read Under what conditions is a JSESSIONID created?, and still have some questions --

Specifically:

If a user visits www.app1.com, and that app makes a call to www.app2.com to load data, are two jsessionId's created - one for each domain?

Likewise, when the call goes out to www.app2.com, is any information about the jsessionid from www.app1.com passed along?

What impact do redirects have on this? (Eg., requesting http://app1.com/login.jsp redirects to http://app2.com/login.jsp)

Cœur
  • 37,241
  • 25
  • 195
  • 267
Marty Pitt
  • 28,822
  • 36
  • 122
  • 195

2 Answers2

2

If a user visits www.app1.com, and that app makes a call to www.app2.com to load data, are two jsessionId's created - one for each domain?

Yes. More accurately every separate WebApp will issue its own cookie for its domain. So www.app1.com/1 and www.app1.com/2 will have different cookies if different webapps are mapped.

Likewise, when the call goes out to www.app2.com, is any information about the jsessionid from www.app1.com passed along?

No, but read up about XSS and CSRF on why securing your app is good, because it isn't hard to inject scripts that pass along your cookie to another url.

What impact do redirects have on this? (Eg., requesting http://app1.com/login.jsp redirects to http://app2.com/login.jsp)

None whatsoever. If you happen to be already loggged on to both, you'll probably be logged on afterwards. Logging off one doesn't affect the other. (If you want true single on/single sign off, both apps must trust a 3rd party like CAS server or Kerberos server).

Marty Pitt
  • 28,822
  • 36
  • 122
  • 195
MJB
  • 9,352
  • 6
  • 34
  • 49
1

JSESSIONID is session cookie. This cookie has a domain set, so in your case you would have 2 cookies, both called JSESSIONID with a different path in their domain attribute.

Pablo Fernandez
  • 103,170
  • 56
  • 192
  • 232