Entering content frame

Background documentation Security Sessions Locate the document in its SAP Library structure

The authentication information of a Web application user is stored in a session object on the SAP J2EE Engine’s Web Container. This session is referred to as a security session and differs from the HTTP sessions. In fact, there is a complementary association between a security session and an HTTP session – that is, the security session provides the security-related information of the user that is identified by the HTTP session. A security session can have associations with more than one HTTP sessions (in case of single sign-on for Web applications), whereas the HTTP-session-to-security-session associations are always of type one-to-one.

Life cycle of Security Sessions

The security session’s life cycle is determined by the life cycle of the HTTP sessions associated with it. That is, a security session lasts until all HTTP sessions associated with it expire, or are invalidated (other cases when security sessions are destroyed are when a timeout period is set in the Security Provider Service, or in case of a failover as described below).

Security Sessions and Failover

Security sessions on the SAP J2EE Engine are not serialized. This implies that in case of server process crash, the failover function will not be able to migrate the security session to another cluster element together with the HTTP session and the user will be forced to authenticate himself or herself again.

 

Leaving content frame