Issue while accessing two Pega SSO environments
When loading two applications sequentially in Internet Explorer in a siteminder-protected environment. If the first application is PRPC, coming back to that application causes busy indicator to be displayed and does not clear.
Steps to Reproduce
1. Open any two siteminder protected applications on Internet Explorer, the first one being PRPC.
2. Switch applications to observe the busy indicator.
There are two application involved here and both are accessed from the same domain:
Each application is on a seperate WebLogic cluster. The web servers are accessed via the same host name <hostName.net> with a plugin that directs the traffic to the proper WebLogic cluster based on context root.
The core problem is that both applications are using the same WebLogic session cookie: JSESSIONID.
When connecting to PRPC the JSESSIONID is set to:
Set-Cookie: JSESSIONID=vHvHVszNl5QYyQnGTHn1Jbf1Gy2fYLhZcm5ZTJC2mMpzR82GQTgx!697134936; path=/; HttpOnly
At this point the browser has registered JSESSIONID to all paths of <hostName.net>
They do some work then connect to PDDA and the JSESSIONID is set to:
Set-Cookie: JSESSIONID=lLK2n3XkHv9pW-i6Mu_4PaG9G3VQ5GD210RTBC4T0R1iW8jBysZV!1761913519; path=/; HttpOnly
At this point the browser has registered JSESSIONID to all path of <hostName.net>, overwriting the one set from PRPC.
Notice that each of the set-cookies for JSESSIONID have path set to "/". Also each of them has a server ID in the cookie value:
When returning to PRPC window the JSESSIONID set for PDDA is sent in the request to PRPC. This results in an error becuase plugin at the web server level did not understand how to route a request to /prweb with a server id of 1761913519. So the plugin simply loadbalanced to a prweb server. It's clear that it did this based on the response that set a new JSESSIONID with a different server ID.
Set-Cookie: JSESSIONID=YWS2n7CQS7UQQfporc1_I6gLkoWBvoUxrQDhYzzptzKzF8PhfHUQ!358146119; path=/; HttpOnly
Below are the solutions:
- Change the JSESSIONID cookie name of both prweb and PDDA (for example, JSESSIONIDPRPC / JSESSIONIDPDDA)
- Change the JSESSIONID of both prweb and PDDA to include the content root in the path attribute of the cookie:
- Options 1 and 2 together will give the best overall seperation of session cookies for both application. You ca not just change one application, both must be modified.