Show TOC Start of Content Area

Background documentation J2EE Engine Cookies  Locate the document in its SAP Library structure

Caution

The session and load balancing cookies described below are used by the J2EE Engine as a means of performing session tracking and load balancing for Web applications, respectively. You should not use the syntax of those cookies explicitly in your application logic. To work properly, your HTTP client must handle all cookies sent by the J2EE Engine according to the HTTP State Management Mechanism (RFC 2109). This documentation provides an overview of the syntax and attributes of the cookies to help you understand how are they used by the J2EE Engine.

Session Cookie

The J2EE Engine uses this type of cookie for session tracking.

The name of the session cookie is JSESSIONID (in accordance with the JavaÔ Servlet 2.3 specification). The value of the JSESSIONID cookie has a specific format that includes information necessary for the process of session tracking. If the cookie sent with the request is not compliant with this format, it is ignored by the Web Container and is therefore not used for session tracking.

From an application developer’s point of view, the generation of the cookie and the details of the format are of no interest. It is all handled by the Web Container. You only need to be aware that a JSESSIONID cookie is set to your HTTP client with the first request to the application. You do not have to rely on the cookie format in your application logic as this format is for internal use and SAP can change it without further notice.

For more information about the session tracking process, see Session Tracking with Servlets.

Session Cookie Attributes

The Web Container sets the following attributes when creating a session cookie by default:

      Domain attribute – the value of this attribute must be a fully-qualified host name (FQHN). A fully-qualified host name means either the fully-qualified domain name of a host (that is, a complete domain name ending in a top-level domain such as .com or .org), or the numeric Internet Protocol (IP) address of a host. The J2EE Engine’s Web Container sets a domain attribute using the host name from the client request. If it is an IP address, it sets the IP address for the domain attribute value. If it is a domain name of the type A.B.C, where B and C do not contain dots, it sets a domain attribute value of *.B.C. If the host is not fully-qualified domain name, the domain attribute is not set. The semantics of the value of the domain attribute is to specify a set of hosts to which the cookie must be sent.

      Path attribute – this specifies the subset of URLs, to which this cookie applies. The J2EE Engine’s Web Container sets the path attribute with value ”/” to the session cookie. Thus, the cookie applies to all Web applications on a given host. This value is also necessary to perform Single Sign-On for Web applications.

Note

You may have to adapt the default domain attribute of the JSESSIONID cookie in certain cases when several servers share the same domain. For more information, see SAP Note 791765.

Load Balancing Cookie

This type of cookie is used by both the SAP Web Dispatcher and the J2EE Engine to perform load balancing of HTTP requests to distributed Web applications. The cookie name is composed of the saplb_ string and a string that represents a logon group. A logon group is defined by a set of J2EE instances with certain application aliases that are active on them. The value contains information about the server process the application runs on, as well as the Web AS Java instance the server resides in.

The load balancing cookie is used by the SAP Web Dispatcher (or a third party load balancing solution) for instance-based load balancing. At instance level, it is used by the Java dispatcher to balance load between the server processes that are available.

Load Balancing Cookie Default Attributes

·        Domain attribute – no domain attribute is set. This means cookie is valid for the current host only.

      Path attribute – the value of this attribute is set to “/”. This means the cookie applies to all Web applications on a given host.

Note

You can configure the attributes that the J2EE Engine sets to the session and load balancing cookies using the <cookie-config> element of the additional deployment descriptor of your Web applications. For more information, see Configuring the J2EE Engine Cookies.

HttpOnly Attribute for Cookie Security Protection

To increase the security protection of system cookies (session and load balancing cookies) and to prevent potential misuse of session information in cookies by client side scripts during server runtime, you can enable the use of the additional system cookie attribute HttpOnly. When the use of the HttpOnly attribute is enabled, Web browsers (valid only for IE version 6.0 SP1 or higher) return empty responses to JavaScript requests for access to the system cookies.

Caution

This feature currently has effect only for Web browsers Internet Explorer version 6.0 SP1 and later. For more information about the HttpOnlyfeature in Internet Explorer 6.0 SP1, see the relevant documents available at msdn.microsoft.com. For more information about support for this feature by other Web browsers, consult the documentation of your Web browser provider.

You enable the runtime use of the HttpOnly attribute for system cookies by configuring the value of the HTTP service property SystemCookiesDataProtection to true.

Recommendation                                                                                      

For backward compatibility, by default the HttpOnly attribute is not enabled for use in system cookies. We recommend that you manually enable it after verifying that your applications do not rely on reading system cookies on the client side.

For more information about configuring HTTP service properties, see HTTP Provider Service.

 

See also:

Using Logon Tickets for Single Sign-On

 

End of Content Area