Hi Ronny,
In reference to OWAP, I consider you're looking for information about web session IDs.
The short answer is: it depends.
The long answer is, depending on what kind of web framework is used for a certain application and what authentication method is enabled, there can be multiple session ids around. When it comes to the actual user session, asides of LB session ids and similar you typically find a cookie SAP_SESSIONID_<SID>_<Client> in your browser after authentication. Other cookies such as:
sap-appcontext, sap-contexid, sap-usercontext and iwc-session-instance are for LB and dispatching management.
In a Java (but can be in ABAP too) system the relevant session id is typically in the MYSAPSSO2 cookie.
For currently supported releases, and with default settings, I can confirm, that the user session ids described here are longer then 128 bit. Please bare in mind, that some 3rd party add-on, or custom implemented framework can use a custom authentication and session management implementation not related to the SAP standard. As well, I know that session identifiers and their length where different prior to release 7.0. But these systems are already out of regular maintenance.
I hope this helps.
BR
Marco
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.