How SAP Mobile Platform Server Handles Cookies
When calling endpoints or back ends via SAP Mobile Platform Server, which acts as an OData proxy (ODP), the server manages the cookies it receives on behalf of the client.
In a typical setup, the client connects through a load balancer or reverse proxy, rather than directly to SAP Mobile Platform Server. The load balancer or reverse proxy forwards the request to an SAP Mobile Platform Server instance and the SAP Mobile Platform Server OData proxy calls the back end.
The following steps outline how SAP Mobile Platform Server handles cookies after the client has issued a call to either the server or a configured endpoint.
- The client sends the application registration, also known as APPCID, either as a header or cookie value. The request also contains a session cookie from SAP Mobile Platform Server and probably from the load balancer or reverse proxy and back end.
- The load balancer or reverse proxy handles the session cookies that the client sends to provide session stickiness. In most cases, these cookies are forwarded to SAP Mobile Platform Server.
- SAP Mobile Platform Server uses the APPCID and session cookie to identify a client
session. It also may add single sign-on cookies to the back-end request.
SAP Mobile Platform Server filters out existing platform-specific cookies
(created by the server) that must not be forwarded to the back end. The following
cookies are filtered (ignoring case):
In addition, you can configure the following cookies by setting the com.sap.mobile.platform.server.proxy.core.handler.DirectProxy.ignoreCookieList system property (for example, by adding it to the props.ini file in the SAP Mobile Platform Server home directory). Cookie names must be separated by commas. You can use a trailing asterisk to indicate that all cookies starting with the given name should be ignored. If you do not provide this property, the following cookies are removed (default configuration):
- SAP Mobile Platform Server stores all the cookies that are returned by back ends in a cookie store, which mimics standard browser behavior. The cookie store is serialized into a string, gzipped, and Base64 encoded.
- The cookie-store string is split into fragments of 4000 characters and sent back to the client as a cookie with the prefix SMP_COOKIE_STORE_<appcid>_<num>, where <num> is a running number starting with zero (0), and <appcid> is replaced by the Application Connection ID of the client. These cookies are always marked as http-only. When an incoming connection to SAP Mobile Platform Server is using HTTPS, the cookies are marked as secure.
- When an incoming request from the client contains cookies matching the SMP_COOKIE_STORE_<appcid>_0-99 prefix, the cookie store is reassembled, concatenating the various parts, Base64 decoded, un-gzipped, and then used for communicating with the back end. Additional cookies that the client sends and are not part of the list are always filtered and forwarded to the back end as-is.
- The load balancer or reverse proxy may add another session cookie if the cookie has changed or was not present in the original client request. These additional cookies are added to the response after it has been handled by SAP Mobile Platform Server.