This behavior occurs because the Microsoft Office session is independent of the Web browser session in which you may have already provided user credentials. Because the sessions are independent, session cookies are not shared. When you try to access a document that is hyperlinked to DocuShare and access to the hyperlinked document does not include the Guest (User-1) access the user is prompted to log into DocuShare. Microsoft Word appears to call DocuShare with an old cached browser session. The User-1 cookie that DocuShare sees after the user has clicked on a DocuShare URL in a Word document has a different cookie value and a different HttpServletRequest.requestedSessionId. DocuShare correctly sets the cookie value on this old cached session before displaying the authorization error page. When the request comes into DocuShare from the Login page, the User-1 browser cookie is correct again. But it is not the same as the one received from Word. It's the last User-1 cookie set in the DocuShare session. Additional information on this problem can be found in Microsoft Knowledge Base Article 899927 http://support.microsoft.com/kb/899927/en-us