What I did was visit http://dotlrn.collaboraid.net/test/, then click to log in as admin on one of test servers.
It works on Opera and Mozilla, but not on IE.
The problem is that dotlrn.collaboraid.net cookies me with an 'ad_session_id' cookie when I visit that page.
Then I click through to http://dotlrn10-test.dotlrn.collaboraid.net/register/admin-login which issues another 'ad_session_id' cookie, this time one that inlucdes user_id info, to record that I'm logged in. It doesn't issue an 'ad_user_login' cookie, because I'm not permanently logged in, only for this session.
Now, the problem with IE is that when I visit the second server, because dotlrn10-test.dotlrn.collaboraid.net is a subdomain of dotlrn.collaboraid.net, it sends *both* 'ad_session_id' cookies.
Our session/security code, however, only finds the first one, which happens to belong to the *other* site. So we issue a new session cookie, which, again, isn't received back. So we keep reissuing new session cookies, and you're never logged in, because the session cookie that contained the user_id info is never found.
Now I know that it's IE that's broken, but IE is also fairly widely deployed, so I think we should probably fix this bug, however uncommon it is to people to experience it in real-life settings.
What can we do about this problem? Three options:
1) search all 'ad_session_id' cookies for one where the session_id is valid. If found, use that. If not, re-issue.
2) embed the server name or host name in the cookie, and seach all 'ad_sesion_id' cookies.
3) embed the server (host) name in the name of the cookie, e.g. 'ad_session_id.openacs.org' (or 'ad_session_id_openacs_org' if dot's aren't allowed), and search for that.
I prefer option 3, because it's clean and simple and doesn't involve scanning all the cookies ... we go straight to the one we care about.
Of course, all cookies will expire as a consequence of this change, but I suppose we can live with that.
I think we should be able to fix this as part of our external authentication work which will start shortly.