We have an ABAP AS system set up to redirect to our J2EE AS engine to get a MYSAPSSO2 cookie set and redirect back for access. The ABAP trusts the J2EE server. The MYSAPSSO2 is valid for only the sub domain (example sub1.sub2.domain.com)
It works great except in one case: when there are 2 MYSAPSSO2 cookies.
When users log on to their workstations their homepage is an EP which issues a cookie with a loose domain and no path. (ex: *.domain.com). The ABAP does not trust the EP since the user ID's are different.
Here is the flow:
If a user goes to the home page / EP first and then to the ABAP system for the redirect for the SSO2 cookie; then the J2EE server issues a MYSAPSSO2 cookie and both are sent to the ABAP but only the EP cookie is processed and fails since the EP is not trusted.
If the user just goes to the ABAP system first then is works, the J2EE server issues a MYSAPSSO2 cookie and is obviously processed and SSO works. The user can go to the EP and even back to the ABAP.
It only fails if they visit the EP first.
The processing order is by age; older tickets are processed first, not by domain level.
So, how can we control MYSAPSSO2 processing order on the ABAP side? Does the JSESSIONID have any influence on the J2EE or ABAP, being that the ABAP is not java (uses sap-session)?
Is this a common problem and are there any solutions?
Thanks