Basic Authentication
See this documentation
Cookie handling
...
With the response of the first call to the gateway it will send a “SET COOKIE GWSESSIONID=<id>” header giving you the sessionid it created for this call (i.e. session). Any further calls need to have the header GWSESSIONID=<id> set for the gateway to be able to recognize them as belonging to the same session.
If this header is not present the gateway will create a new session for each call causing inactive sessions to pile up. This causes performance degradation and also, if the maximum number of conccurent sessions per user is reached, no new calls can be executed anymore. This maximum is 1000 per default.
Common HTTP frameworks such as the Apache HTTP Components already have the logic to do the cookie handling for you if the configuration is set accordingly.
In case of the Apache HTTP Components this is done by creating the HttpClient with a BasicCookieStore like this:CookieStore cookieStore = new BasicCookieStore();CloseableHttpClienthttpclient = HttpClientBuilder.create().setDefaultRequestConfig(requestBuilder.build()).setDefaultCredentialsProvider(getCredentialProvider()).setDefaultCookieStore(cookieStore).build();
Closing Session
The duration of a session can be set separately for the core service and for the gateway. The default duration is 30 minutes for both. To close the session you have two options:
The header parameter "x-os-session-keep-alive":
This header can be used to force the session
...
identified by the GWSESSIONID header to be closed in both the gateway and the core service. The default and implicitly set value (if the header is not present) is true. If set to false the session will be closed after this call.
Call the URL …/logout:
The Gateway will close its session for this GWSESSIONID and also try to close the core-service session.