The Session Root Path and Session Scope

As stated above, when a session is created, the BIS server will include a Session Cookie that uniquely identifies the session with the response. The user agent saves the cookie, and includes the cookie with subsequent requests. The BIS server uses the cookie to associate requests with sessions.

Cookies are shared by all instances of a particular user agent. This makes it difficult for a particular user agent to gain access to more than one session on the server-if multiple browser windows on the same client machine request the same page, each window will send the same cookie, BIS will see the requests as originating in a single window, and will not create additional sessions. Multiple sessions are desirable if the end user wishes to run multiple BIS applications hosted by the same server in separate windows, or the application developer wishes to include multiple applications in a browser window by using HTML <OBJECT> or <IFRAME> tags.

Fortunately, there is a solution: the scope of a particular session cookie can be restricted to particular URL paths on the server. The user agent will only include the session cookie with a request URL that is as specific as, or more specific than the path that was specified when the cookie was stored in the user agent.

IIS and Apache derive the default application root path differently:

The application root path may be changed by using the {{SessionParms}} tag only during the rendering of the session's initial page. The session root directory may be set to:

  1. DEFAULT: the application root path.
  2. The path that directly contains the requested object.
  3. Any path that contains the requested object. However, the path cannot be closer to the root directory than the application root path.

For example, if the request URL is

and the default application root path is


then the application root path may be changed to any one of

See The {{SessionParms}} Tag for more information.