In case of SaaS applications, where the same server plays host to multiple applications. How are session attributes maintained? To elaborate the question: AppA, and AppB are hosted on the same machine, I now create UserA for AppA and UserB for AppB. AppA and AppB belong to different organizations so they are not linked. Some details about the user are stored at http session level (until the session times out). So now if I log in to both AppA and AppB from the same browser using different tabs, I may end up seeing some of UserA/AppA details on the UserB/AppB screen or vice-versa. How can such a problem be solved? One solution I can think is to create subdomains like appa.example.org and appb.example.org. Is there any other/better way?
Normally you will not see details from one app in another app.
When a session is created it is created inside the web application and identified by a key. This session-id is what is stored in a cookie or passed in some other way to identify which session object to refer to on the next request.
If you would present this session id to another webapp it won't find the attributes because they live in the other webapp.
Now, that is 'normally'. In practice this can be configured in all directions, like storing all atributes in the cookie (very useful in extreme failover scenarios), storing the session in a shared memcached layer or shared database table (then you would get the same object back in the other application of course), and so on, and so on.