Show TOC

How SAP Mobile Platform Server Handles CookiesLocate this document in the navigation structure

When calling endpoints or back ends via SAP Mobile Platform Server, which acts as an OData proxy (ODP), SAP Mobile Platform Server manages the received cookies on behalf of the client.

In a typical setup, the client connects through a load balancer or reverse proxy, rather than directly to SAP Mobile Platform Server. The load balancer or reverse proxy forwards the request to an SAP Mobile Platform Server instance and the SAP Mobile Platform Server OData proxy calls the back end.

The following steps outline how SAP Mobile Platform Server handles cookies after the client has issued a call to SAP Mobile Platform Server or configured endpoint.

  1. The client sends the application registration, also known as APPCID, either as a header or cookie value. The request also contains a session cookie from SAP Mobile Platform Server and probably from the load balancer or reverse proxy and back end.
  2. The load balancer or reverse proxy handles the session cookies sent by the client to provide session stickiness. In most cases, these cookies are forwarded to SAP Mobile Platform Server.
  3. SAP Mobile Platform Server uses the APPCID and session cookie to identify a client session. It also may add single sign-on cookies to the back-end request. SAP Mobile Platform Server filters out existing platform-specific cookies created by SAP Mobile Platform Server that must not be forwarded to the back end. The following cookies are filtered (ignoring case):
    • Host
    • X-SupDeviceID
    • User-Agent
    • Connection
    • X-SUP-APPCID
    • X-SMP-APPCID
    • X-SMP-SESSID
    • ias-rs-sessionid
    • X-SMP-SESSIDSSO
    • jtenantsessionid...
    In addition, you can configure the following cookies by setting the com.sap.mobile.platform.server.proxy.core.handler.DirectProxy.ignoreCookieList System Property (for example, by adding it to the props.ini file in the SAP Mobile Platform Server home directory). The cookie names must be comma-separated and you can use a trailing asterisk to indicate that all cookies starting with the given name be ignored. If you do not provide this property, the following cookies are removed (default configuration):
    • BIGip...

    • JSESSIONID
  4. SAP Mobile Platform Server stores all cookies returned by back ends in a cookie store, which mimics standard browser behavior. The cookie store is serialized into a string, gzipped, and Base64 encoded.
  5. Afterwards, the string is split into fragments of 4000 characters and sent back to the client as a cookie with the prefix SMP_COOKIE_STORE_<appcid>_ and a running number starting with zero (0), and <appcid> is replaced by the Application Connection ID of the client. These cookies are always marked as http-only. When an incoming connection to SAP Mobile Platform Server is using HTTPS, the cookies are marked as secure.
  6. When an incoming request from the client contains cookies matching the SMP_COOKIE_STORE_<appcid>_0-99 prefix, the cookie store is reassmbled, concatenating the various parts, Base64 decoded, un-gzipped, and then used for communicating with the back end. Additional cookies sent by the client that are not part of the list are always filtered and forwarded to the back end as-is.
  7. The load balancer or reverse proxy may add another session cookie if the cookie has changed or was not present in the original client request. These additional cookies are added to the response after it has been handled by SAP Mobile Platform Server.