Oracle Web Services On Demand Guide > Establishing and Managing the Web Services Session >

Using Stateful Web Services Requests

In instances in which the application manages the creation and release of user sessions, the following apply:

• Clients must make login and logoff calls in their code to manage the session.
• The login step returns an HTTP cookie that contains the session identifier that must be used for making additional requests.
• A session remains active until the user explicitly logs out or until the session times out.

Web services session management is HTTP-based and uses a session ID (also known as a JSESSIONID), which is contained in HTTP Session cookies, to uniquely identify a session established with Oracle CRM On Demand.

Oracle CRM On Demand Web Services enable session management by first creating a session using the login call, which is then referenced in any subsequent SOAP operations.

In an Oracle SOAP session, after a session ID has been created in a login request, it can be referenced by including the session ID within the cookie header line. When a session ID is referenced as a cookie, a cookie header line must appear in the request with the name JSESSIONID=. In this case, the session ID appears in uppercase, and the value of the cookie is exactly the same as the session ID received from the login request.

NOTE:  This is the recommended approach to referencing the session ID, for several reasons. The Java servlet specification advises the use of cookies and not the URL wherever possible. Most development environments and programming languages are efficient in using cookies rather than adding arguments to the URL. Furthermore, it is much simpler to implement cookies because the cookie container from the Oracle CRM On Demand login response can be copied onto further requests being sent to Oracle CRM On Demand. Attaching the session ID as a parameter to the URL request line is contrary to security standards and is not good practice.

When a login request is made, the session ID is returned as a cookie in the response to the request. The client is responsible for extracting this session ID and using it throughout the session. If the session times out for any reason, the error returned reports that the session is not valid and the client must then request a new session. In this case, no explicit logoff operation is required.

Once a session ID is retrieved, it is possible to use the session ID to invoke Web services by using HTTP POST; for more information, see Integration Requests for the Web Services Session.

To issue a logoff request to terminate a session, the request must identify the session using the JSESSIONID value.

All requests must use HTTP Secure (HTTPS).