Oracle® Fusion Middleware
Part 12. Authentication filters

The Create Session filter enables the API Gateway to create an HTTP session and configure various session attributes (for example, expiry, domain, and security). This filter requires an authentication.subject.id attribute for the user, and stores it in the HTTP session. The session ID is used to create a cookie named VIDUSR, which is stored in the generated http.session.cookie.name attribute. The cookie is then sent to the user specified by the authentication.subject.id attribute.

The Create Session filter should be used with the Check Session and End Session filters to manage HTTP sessions. For more details, see:

Complete the following fields to configure this filter:

Name:

Enter an appropriate name for this filter to display in a policy.

Expiration time of session in milliseconds:

Enter the HTTP session expiry timeout in milliseconds. When the session reaches the specified lifetime, it is automatically invalidated, and can no longer pass the Check Session filter.

Session cookie domain:

Enter the domain value for the Set-Cookie header (for example, example.com). This informs the browser that cookies should be sent back to the server for the specified domain only.

Session cookie path:

Enter the path value for the Set-Cookie header (for example, /sales). This informs the browser that cookies should be sent back to the server for the specified path only. Defaults to /.

Session sent over SSL only:

Select whether the session uses SSL only. When selected, this adds a Secure flag to the cookie.

HTTP-only cookie:

Select whether the session uses HTTP only. When selected, this adds an HTTPOnly flag to the cookie.