Forum OpenACS Development: Re: Cookies and Port numbers with Mozilla and OpenACS
The problem comes about when you have two openacs instances running on the same time domain, with one at a different host. For example: domain.com and host.domain.com. If you login to domain.com first and then try to login to host.domain.com you won't be able to.
When you go to host.domain.com, IE will look at its cookies and see one for domain.com and hand it to host. host.domain.com will look at the session_id and decide that it's an invalid session (since its a domain.com session) and send you to a login page. After logging in, host.domain.com will try to set the ad_session_id cookie. IE gets the cookie, looks at the domain.com ad_session_id cookie and decides that host. doesn't have the right to change it, so it ignores the cookie. Then host.domain.com asks for the updated cookie (redirecting after login) and IE passes it the wrong cookie again, putting the user in a loop.
The way we have overcome this on our sites is to prepend name of the host to the cookie the host.domain.com box serves up. That way, the two servers don't set cookies with the same name.
My recommendation would be to have a kernel parameter that would allow admins to define arbitrary text that would be prepended to the cookie name (ie. host_ad_session_id).