Using Stateful Web Services Requests
In instances in which the application manages the creation and release of user sessions, the following apply:
Clients must make login and logoff calls in their code to manage the session.
The login step returns an HTTP cookie that contains the session identifier that must be used for making additional requests.
A session remains active until the user explicitly logs out or until the session times out.
Web services session management is HTTP-based and uses a session ID (also known as a JSESSIONID), which is contained in HTTP Session cookies, to uniquely identify a session established with Oracle CRM On Demand.
Oracle CRM On Demand Web Services enable session management by first creating a session using the login call, which is then referenced in any subsequent SOAP operations.
In an Oracle SOAP session, after a session ID has been created in a login request, it can be referenced by including the session ID within the cookie header line. When a session ID is referenced as a cookie, a cookie header line must appear in the request with the name JSESSIONID=. In this case, the session ID appears in uppercase, and the value of the cookie is exactly the same as the session ID received from the login request.
When a login request is made, the session ID is returned as a cookie in the response to the request. The client is responsible for extracting this session ID and using it throughout the session. If the session times out for any reason, the error returned reports that the session is not valid and the client must then request a new session. In this case, no explicit logoff operation is required.
Once a session ID is retrieved, it is possible to use the session ID to invoke Web services by using HTTP POST; for more information, see Integration Requests for the Web Services Session.
To issue a logoff request to terminate a session, the request must identify the session using the JSESSIONID value.
All requests must use HTTP Secure (HTTPS).