When calling endpoints or back ends via SAP Mobile Platform Server, which acts as
an OData proxy (ODP), SAP Mobile Platform Server manages the received cookies on
behalf of the client.
In a typical setup, the client connects through a load balancer or reverse proxy, rather than
directly to SAP Mobile Platform Server. The load balancer or reverse proxy
forwards the request to an SAP Mobile Platform Server instance and the
SAP Mobile Platform Server OData proxy calls the back end.
The following steps outline how SAP Mobile Platform Server handles cookies after the
client has issued a call to SAP Mobile Platform Server or configured endpoint.
- The client sends the application registration, also known as APPCID, either as a
header or cookie value. The request also contains a session cookie from
SAP Mobile Platform Server and probably from the load balancer or reverse
proxy and back end.
- The load balancer or reverse proxy handles the session cookies sent by the client to provide
session stickiness. In most cases, these cookies are forwarded to
SAP Mobile Platform Server.
- SAP Mobile Platform Server uses the APPCID and session cookie to identify a client
session. It also may add single sign-on cookies to the back-end request.
SAP Mobile Platform Server filters out existing platform-specific cookies
created by SAP Mobile Platform Server that must not be forwarded to the back
end. The following cookies are filtered (ignoring case):
In addition, you can configure the following cookies by setting the
System Property (for example, by adding it to the props.ini
file in the SAP Mobile Platform Server home directory). The cookie names
must be comma-separated and you can use a trailing asterisk to indicate that all
cookies starting with the given name be ignored. If you do not provide this
property, the following cookies are removed (default configuration):
- SAP Mobile Platform Server stores all cookies returned by back ends in a cookie store,
which mimics standard browser behavior. The cookie store is serialized into a
string, gzipped, and Base64 encoded.
- Afterwards, the string is split into fragments of 4000 characters and sent back to
the client as a cookie with the prefix SMP_COOKIE_STORE_<appcid>_ and a running
number starting with zero (0), and <appcid> is replaced by the Application
Connection ID of the client. These cookies are always marked as http-only. When an
incoming connection to SAP Mobile Platform Server is using HTTPS, the cookies
are marked as secure.
- When an incoming request from the client contains cookies matching the
SMP_COOKIE_STORE_<appcid>_0-99 prefix, the cookie store is reassmbled,
concatenating the various parts, Base64 decoded, un-gzipped, and then used for
communicating with the back end. Additional cookies sent by the client that are not
part of the list are always filtered and forwarded to the back end as-is.
- The load balancer or reverse proxy may add another session cookie if the cookie has changed
or was not present in the original client request. These additional cookies are
added to the response after it has been handled by
SAP Mobile Platform Server.