Symptoms

An error occurs when running multiple tomcat server instances on the same machine but on different ports and accessing them in parallel browser windows/tabs. 

Cause

Cookies are stored only per hostname, but per default not per host+port name. This causes a conflict in session handling. 

"Google's Browser Security Handbook says: by default, cookie scope is limited to all URLs on the current host name - and not bound to port or protocol information. and some lines later There is no way to limit cookies to a single DNS name only [...] likewise, there is no way to limit them to a specific port. (Also, keep in mind, that IE does not factor port numbers into its same-origin policy at all.)"

Resolution

Name session cookie key differently for each tomcat instance on the same host. 

on Tomcat 5/6

set System parameter org.apache.catalina.SESSION_COOKIE_NAME for each tomcat instance differently

on Tomcat 7

set sessionCookieName attribute for each Context differently (in context.xml in tomcat config folder)

 (since Tomcat 7 org.apache.catalina.SESSION_COOKIE_NAME moved to an attribute on the main <Context> config - see http://tomcat.apache.org/migration-7.html#Session_manager_configuration)


Sample context declaration of instance1: 
<Context path=... sessionCookieName="EccInstance1" ... /> 

Sample context declaration of instance2: 
<Context path=... sessionCookieName="EccInstance2" ... />