I'm trying to understand the uniqueness and scope of a JSessionId, as it relates across multiple, unreleated domains.
I've read Under what conditions is a JSESSIONID created?, and still have some questions —
Specifically:
If a user visits www.app1.com
, and that app makes a call to www.app2.com
to load data, are two jsessionId's created – one for each domain?
Likewise, when the call goes out to www.app2.com
, is any information about the jsessionid from www.app1.com
passed along?
What impact do redirects have on this? (Eg., requesting http://app1.com/login.jsp
redirects to http://app2.com/login.jsp
)
Best Answer
Yes. More accurately every separate WebApp will issue its own cookie for its domain. So www.app1.com/1 and www.app1.com/2 will have different cookies if different webapps are mapped.
No, but read up about XSS and CSRF on why securing your app is good, because it isn't hard to inject scripts that pass along your cookie to another url.
None whatsoever. If you happen to be already loggged on to both, you'll probably be logged on afterwards. Logging off one doesn't affect the other. (If you want true single on/single sign off, both apps must trust a 3rd party like CAS server or Kerberos server).