I have two different applications, say A and . Both are using Spring Security with the same configuration. Here is my situation:
I log into my A application. Everything works fine. But when I log into my B application (it has the same IP but different PORT) in another tab in the same browser, I see these lines (below) and I am thrown away from A application, which means I am no longer authenticated in it.
DEBUG 2013-05-20 13:42:43,969 [http-8080-2] org.springframework.security.web.FilterChainProxy$VirtualFilterChain : /webapp/backoffice/index.jsp at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG 2013-05-20 13:42:43,969 [http-8080-2] org.springframework.security.web.context.HttpSessionSecurityContextRepository : No HttpSession currently exists
DEBUG 2013-05-20 13:42:43,969 [http-8080-2] org.springframework.security.web.context.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
HttpSessionSecurityContextRepository as SecurityContextRepository.But I am not getting why logging in my B application, removes the HttpSession from A application? (Or maybe some other things are happening)
I want to know whether these applications, share something in common within the browser.
A) localhost:8080/dtts/backofficeB) localhost:8081/dtts/backoffice
URL/Path there will be a unique JSESSIONID. Both of my applications use URL:localhost and Path:dtts. That's why the second JSESSIONID replaces the first one.
The cookie from application B is overwriting the cookie stored in the browser for application A, because both cookies are from the same server i.e. 'localhost', and both cookies have the name, i.e. 'JSESSIONID'.
Cookies are not port specific. This is discussed in this question: Are HTTP cookies port specific?
I believe your options are: