Issue
When two Mendix applications run as sub-applications under one Internet Information Services (IIS) website on Windows Server, signing in to one application invalidates the active session in the other application. In a setup such as https://server/NewApp and https://server/MendixNewApp2, navigation back to the first signed-in application redirects to the login page.
Environment
- Applications hosted in On-Premises
- Windows Server with Internet Information Services (IIS)
Cause
Mendix stores authenticated sessions in a cookie named XASSESSIONID. In this IIS sub-application setup, the browser stores that cookie at host scope with path /. Both applications therefore write the same cookie name on the same host. The second sign-in overwrites the first session cookie. After that overwrite, the first runtime receives a session identifier that does not exist in its own session store and redirects to the login page.
Solution/Workaround
Use one of the following independent solutions.
Solution 1 - Set a unique session cookie name for each application. This solution keeps the current single IIS website structure and isolates sessions by cookie name.
- Open the first application in Mendix Service Console > Advanced Settings > Custom Mendix settings and add key
com.mendix.core.SessionIdCookieNamewith valueXASSESSIONID_NEWAPP. - Open the second application in Mendix Service Console > Advanced Settings > Custom Mendix settings and add key
com.mendix.core.SessionIdCookieNamewith a different value, for exampleXASSESSIONID_APP2. - Restart both runtimes and verify that sessions remain active when switching between both applications in one browser session.
Solution 2 - Host each application on a separate IIS website and hostname. This solution isolates sessions at domain level and is recommended for production environments.
- Create one IIS website per Mendix application instead of IIS sub-applications under one parent site.
- Assign a unique hostname to each site, for example
newapp.yourdomain.comandnewapp2.yourdomain.com. - Bind each hostname to the correct backend runtime port and validate sign-in persistence across both applications.
Internal information related
282445,171725
Additional information
Mendix documentation:
Related KBA:
Multiple Mendix session in different tabs of the same browser
0 Comments