Show TOC Start of Content Area

Background documentation Security Sessions  Locate the document in its SAP Library structure

The authentication information of a Web application user is stored in a session object on the AS Java’s Web Container. This session is referred to as a security session and differs from the HTTP sessions. In fact, there is a complementary association between a security session and an HTTP session – that is, the security session provides the security-related information of the user that is identified by the HTTP session. A security session can have associations with more than one HTTP sessions (in the case of Single Sign-On for Web applications), whereas the HTTP session-to-security-session associations are always of type one-to-one.

Life Cycle of Security Sessions

The security session’s life cycle is related to the life cycle of the HTTP sessions associated with it. That is, a security session lasts until all HTTP sessions associated with it expire, or are invalidated. On the other hand, if a security session expires or is invalidated upon user logout, then all associated HTTP sessions are invalidated too.

Security Sessions and Failover

Security sessions on the AS Java are not serialized. This implies that if a server process crashes, the failover function will not be able to migrate the security session to another cluster element together with the HTTP session, and the user will be forced to authenticate himself or herself again.

 

End of Content Area