That is because your session cookie is domain specific. Look at your browser debugging tools and you'll see your jsessionid changes.
The answer to this should be to set domain cookies. There's a ticket for Railo that was supposedly fixed, but someone commented saying it wasn't and I never went back and tested it.
The workaround used to be to must manually set your cookie to the top level domain in your onRequestStart if I recall, thus overwriting the cookie that Railo is setting.
The key is that whether you hit www.tropical.test or app.tropical.test, the domain on your session cookies must be tropical.test.
Thanks!
--------- Original Message ---------