AS Java Cookies

Caution Caution

The session and application cookies described below are used by the AS Java as a means of performing session tracking and load balancing for Web applications, respectively. You should not use the syntax of those cookies explicitly in your application logic. To work properly, your HTTP client must handle all cookies sent by the AS Java according to the HTTP State Management Mechanism (RFC 2109). This documentation provides an overview of the syntax and attributes of the cookies to help you understand how are they used by the AS Java.

End of the caution.

Session Cookie

The AS Java uses this type of cookie for session tracking.

The name of the session cookie is JSESSIONID (in accordance with the Java Servlet 2.5 specification). The value of the JSESSIONID cookie has a specific format that includes information necessary for the process of session tracking. If the cookie sent with the request is not compliant with this format, it is ignored by the Web Container and is therefore not used for session tracking.

From an application developer's point of view, the generation of the cookie and the details of the format are of no interest. It is all handled by the Web Container. You only need to be aware that a JSESSIONID cookie is set to your HTTP client with the first request to the application and session and has been established.

More information about the session tracking process: Session Tracking with Servlets.

Application Cookie

The application cookie is used only by the SAP Web Dispatcher (or a third party load balancing solution) for instance-based load balancing.

The cookie name is composed of the saplb_ string and a string that represents a logon group. A logon group is defined by a set of Java EE instances with certain application aliases that are active on them. The value contains information about the server process the application runs on, as well as the Web AS Java instance the server resides in.

Cookies' Attributes

Both the session and the application cookie have the following attributes:

Attribute	Description	Possible Values	Default Value
Path	Provides the subset of URLs to which the cookie applies. This value is necessary to perform Single Sign-On for Web applications. Note You may have to adapt the default domain attribute of the `JSESSIONID` cookie in certain cases when several servers share the same domain. For more information, refer to SAP Note 791765 (this note was created for SAP NetWeaver 2004 but is still applicable to SAP NetWeaver 7.1). End of the note.	`APPLICATION` — the Web Container sets the path to `/<alias-name>/` `NONE` — the Web Container does not set a path attribute Custom string — the Web Container uses the string as a path value	`/`
Domain	Defines the domain for which the cookie is valid. The value of this attribute must be a fully-qualified host name (FQHN), which means either the fully-qualified domain name of a host (that is, a complete domain name ending in a top-level domain such as `.com` or `.org`), or the numeric Internet Protocol (IP) address of a host. The AS Java's Web Container sets a domain attribute using the host name from the client request. If it is an IP address, it sets the IP address for the domain attribute value. If it is a domain name of the type `A.B.C`, where `B` and `C` do not contain dots, it sets a domain attribute value of `*.B.C`. If the host is not a fully-qualified domain name, the domain attribute is not set. The semantics of the value of the domain attribute is to specify a set of hosts to which the cookie must be sent.	`SERVER` — the Web Container sets the domain attribute as the host name of the request `NONE` — the Web Container does not set a domain attribute Custom string — the Web Container uses the string as a domain value.	`NONE`
Maximum age	Specifies the lifetime period of the cookie in seconds.	Positive integer number — the number of seconds after which the cookie is ignored `0` — the HTTP client discards the cookie. Not specified — the cookie expires with the end of the HTTP session.	(Not specified)

Attribute

Description

Possible Values

Default Value

Path

Provides the subset of URLs to which the cookie applies.

This value is necessary to perform Single Sign-On for Web applications.

Note Note

You may have to adapt the default domain attribute of the JSESSIONID cookie in certain cases when several servers share the same domain. For more information, refer to SAP Note 791765 (this note was created for SAP NetWeaver 2004 but is still applicable to SAP NetWeaver 7.1).

End of the note.

APPLICATION — the Web Container sets the path to /<alias-name>/
NONE — the Web Container does not set a path attribute
Custom string — the Web Container uses the string as a path value

/

Domain

Defines the domain for which the cookie is valid.

The value of this attribute must be a fully-qualified host name (FQHN), which means either the fully-qualified domain name of a host (that is, a complete domain name ending in a top-level domain such as .com or .org), or the numeric Internet Protocol (IP) address of a host. The AS Java's Web Container sets a domain attribute using the host name from the client request. If it is an IP address, it sets the IP address for the domain attribute value. If it is a domain name of the type A.B.C, where B and C do not contain dots, it sets a domain attribute value of *.B.C. If the host is not a fully-qualified domain name, the domain attribute is not set. The semantics of the value of the domain attribute is to specify a set of hosts to which the cookie must be sent.

SERVER — the Web Container sets the domain attribute as the host name of the request
NONE — the Web Container does not set a domain attribute
Custom string — the Web Container uses the string as a domain value.

NONE

Maximum age

Specifies the lifetime period of the cookie in seconds.

Positive integer number — the number of seconds after which the cookie is ignored
0 — the HTTP client discards the cookie.
Not specified — the cookie expires with the end of the HTTP session.

(Not specified)

HttpOnly Attribute for Cookie Security Protection

To increase the security protection of system cookies (session and application cookies) and to prevent potential misuse of session information in cookies by client-side scripts during server runtime, you can enable the use of the additional system cookie attribute HttpOnly. When the use of the HttpOnly attribute is enabled, Web browsers return empty responses to JavaScript requests for access to the system cookies.

Caution Caution

This feature currently has an effect only on Web browser Internet Explorer version 6.0 SP1 and later. For more information about the HttpOnly feature in Internet Explorer 6.0 SP1, see the relevant documents available at http://msdn.microsoft.com. For more information about support for this feature by other Web browsers, consult the documentation of your Web browser provider.

You enable the runtime use of the HttpOnly attribute for system cookies by configuring the value of the HTTP service property SystemCookiesDataProtection to true.

For backward compatibility, by default the HttpOnly attribute is not enabled for use in system cookies. We recommend that you manually enable it after verifying that your applications do not rely on reading system cookies on the client side.

End of the caution.

More Information

Configuring Cookies