Supported session ID data types

WebSEAL can maintain session state with both HTTP and HTTPS clients. The SSL transport protocol is specifically designed to provide a session ID to maintain session state information. In contrast, HTTP is a "stateless" protocol and does not provide any means of distinguishing one request from another. (HTTP communication can be encapsulated over SSL to become HTTPS.)

However, WebSEAL must often handle HTTP communication from unauthenticated clients. There are also times when the SSL session ID is not an appropriate solution.

To maintain session state with clients over HTTP or HTTPS, WebSEAL can use one of several data types to provide a client-identifying session key, known as the WebSEAL session ID.

WebSEAL maintains the specific client identity and session information in a session cache. Each session cache entry is indexed by a session key (the WebSEAL session ID).

The following supported data types can provide the session key used by WebSEAL to maintain session state with a client:

• SSL session ID (defined by the SSL protocol)
• Server-specific session cookie

When WebSEAL examines a client request, it searches for the session key in the order specified in this list.

Parent topic: Session state overview

Related concepts

• Session state concepts
• Information retrieved from a client request
• Validation of the client identifier for a session
• WebSEAL session cache structure
• Deployment considerations for clustered environments
• Options for handling failover in clustered environments