Anytime a user logs into an app, that app sets the "XASSESSIONID" to a new value. This means that when the user returns to another app they were logged into and tries to perform an action, they get presented with the login screen, or get re-authenticated via SSO (if configured). This means that data can be lost if a user was filling out a form but needed to access another app to look something up. Mendix instead should have separate cookies for each app. In theory, one user should be able to log into every single application at the same time without issue. In practice, this is usually only ever 2-3 applications total.
We had to create custom SSO workflow to direct Users to a central app that managed sessions, and would directly copy session data into the second applications database so that when we redirect the User back to the second app, Mendix will not overwrite the session cookie since it has a copy of it. Mendix should have something in place that can handle this automatically, or just use individually prefixed cookies for each application, with the project ID of the application as the prefix.
Should Cookies be separated by DNS domain?
This feels moor like a bug. What does Mendix support says?