I have an application that I've been working on for about 12 years. It's comprised of two web applications that both require access to the beans in an EJB jar. For a long time I deployed the pieces separately and never had the issue that I have as a result of moving the components into a single ear for deployment purposes (which I did about 6 years ago). One of the applications is outward-facing, and one is used internally by administrators. The administrative application makes it possible for the administrator to log on to the outward-facing website from the click of a button on the user details page. When all were deployed independently, everything worked fine. Since packaging the 3 components together, I find that the request to log in to the outward-facing website from the administrative website succeeds. (Username and password are sent from the client.) The outward-facing website greets the end-user and it looks like everything is fine. However, the next click from the outward-facing website to a resource that requires a logged in user sends the user to the log in page. Going back to the administrative web page and clicking on the log in button a second time succeeds in logging in and takes the administrator to the page that was the target of the original click post first successful login. As a result of this 2nd login, the administrator has lost his login in the administrative application. Some of this is very specific to the way the application behaves, but what isn't is the JSESSIONID cookie that seems to behave a little strangely. From the browser when logged in to the admin app, I see the value of JSESSIONID with path = '/'. When I click on the 'Log in as User' button, I see in the outward-facing site that I have the same JSESSIONID value, same path. (I would have hoped I'd have a different session identifier, but I think I understand that the client is sending the same cookie because the path is the same, i.e., the root.) When I click on the link from the outward-facing website and am prompted to log in, I can see that the JSESSIONID I'm being sent by the server is altogether different from the one that I had on the previous page. So, the server has created a new session, which I guess means that the client did not send the JSESSIONID on the request for the resource that required a logged in user, though why it wouldn't is beyond me. These two applications have two different context-root element values in the application.xml. I would like for the client to associate the JSESSIONID with the path of the context-root so that the two sessions are independent, but this doesn't happen. Have I provided enough information for anyone to tell me what I'm doing wrong, or I how I could fix this issue?