I'm using 4.0.5.GA and I have enabled the org.apache.catalina.authenticator.SingleSignOn valve in tomcat/server.xml. I'm trying to protect my web apps using the OWASP Stinger servlet filter, specifically its cookie validation feature. I'm trying to determine when I will get a regular JESSSIONID and when I will get a JESSIONIDSSO? I have noticed that I get either a varied points when I enter my web app. My app is only accessible via SSL and I have configured the SSO valve to my domain, not just the app context. Also, Is there an issue with session cookies and IE7?