<-- Back

Session cookie conflict when running multiple Mendix apps under a single IIS website on Windows Server

Issue

When two Mendix applications run as sub-applications under one Internet Information Services (IIS) website on Windows Server, signing in to one application invalidates the active session in the other application. In a setup such as https://server/NewApp and https://server/MendixNewApp2, navigation back to the first signed-in application redirects to the login page.

Environment

  • Applications hosted in On-Premises
  • Windows Server with Internet Information Services (IIS)

Cause

Mendix stores authenticated sessions in a cookie named XASSESSIONID. In this IIS sub-application setup, the browser stores that cookie at host scope with path /. Both applications therefore write the same cookie name on the same host. The second sign-in overwrites the first session cookie. After that overwrite, the first runtime receives a session identifier that does not exist in its own session store and redirects to the login page.

Solution/Workaround

Use one of the following independent solutions.

Solution 1 - Set a unique session cookie name for each application. This solution keeps the current single IIS website structure and isolates sessions by cookie name.

  1. Open the first application in Mendix Service Console > Advanced Settings > Custom Mendix settings and add key com.mendix.core.SessionIdCookieName with value XASSESSIONID_NEWAPP.
  2. Open the second application in Mendix Service Console > Advanced Settings > Custom Mendix settings and add key com.mendix.core.SessionIdCookieName with a different value, for example XASSESSIONID_APP2.
  3. Restart both runtimes and verify that sessions remain active when switching between both applications in one browser session.

Solution 2 - Host each application on a separate IIS website and hostname. This solution isolates sessions at domain level and is recommended for production environments.

  1. Create one IIS website per Mendix application instead of IIS sub-applications under one parent site.
  2. Assign a unique hostname to each site, for example newapp.yourdomain.com and newapp2.yourdomain.com.
  3. Bind each hostname to the correct backend runtime port and validate sign-in persistence across both applications.

Internal information related

282445,171725

Additional information

Mendix documentation:

Related KBA:

Multiple Mendix session in different tabs of the same browser

Have more questions? Submit a request

0 Comments

Article is closed for comments.

To provide feedback, please open a ticket here. Don't forget to include the article's URL along with the feedback you would like to provide.