Cookie-based session management

When cookie-based session management is used, a message (cookie) containing a user's information is sent to the browser by the Web server. This cookie is sent back to the server when the user tries to access certain pages. By sending back the cookie, the server is able to identify the user and retrieves the user's session from the session database, thus maintaining the user's session. A cookie-based session ends when the user logs off or closes the browser. Cookie-based session management is secure and has performance benefits. Cookie-based session management is secure because it uses an identification tag that only flows over SSL. Cookie-based session management offers significant performance benefits because the WebSphere Commerce caching mechanism only supports cookie-based sessions, and not URL rewriting. IBM recommends cookie-based session management for customer sessions.

If you are not using URL rewriting and you want to ensure that users have cookies enabled on their browsers, check Cookie acceptance test on the Session Management page of Configuration Manager. This informs the customer that if their browser does not support cookies, or if they have turned off cookies, they need a browser that supports cookies to browse the WebSphere Commerce site.

For security reasons, cookie-based session management uses two types of cookies, as discussed in the following sections.

Non-secure session cookie

This is used to manage session data. This contains an activity identifier that points to attributes such as the negotiated language, current store, and customer's preferred currency at the time that the cookie is constructed. This cookie can flow between the browser and server under either a SSL or a non-SSL connection. There are two types of non-secure session cookies:

To select which type of cookie to use, select WebSphere Commerce or WebSphere Application Server for the Cookie session manager parameter on the Session Management page of Configuration Manager.

By default, a WebSphere Commerce instance is configured to use WebSphere Commerce session management. However, some custom applications may need to store more session data than the Internet Explorer®'s browser limit. In this case, you may wish to switch to WebSphere Application Server's cookie management mechanism.

WebSphere Application Server session manager provides for the storage of session-related information either in-memory within the application server, in which case it cannot be shared with other application servers; in a back-end database, shared by all application servers; or by using memory-to-memory replication.
xxxx