The core problem is described in this post. Basically, I am trying to implement the login/logout mechanism through the basic authentication which should be used by a web app to call OData services. I know that this kind of authentication is not suitable for logout purpose, but I found many obstacles to exploit form-based or saml 2.0 authentications due to the lack of examples/tutorials for HANA 1.0 SP 12, 2.0 and 2.0 SP 01 systems both for XSC and XSA (this is the actual problem!). So, a simple solution I found is to set the sessiontimeout to its minimum (1 second). Doing that my goal is reached, but this solution impacts to all the http sessions because the parameter is global. How can I override it for my OData services only? In the XSC scenario, is it necessary to modify the .xsapp or the .xsaccess files? How?

Since I am stuck on basic authentication, I am currently exploring the possibility to use from authentication, because the token.xsjs, loginxsc.func, and logout.xscfunc are already provided by HANA. In this case, session cookies do not expire after logout and tokens are not always provided, in fact, frequently the value of X-CSRF-Token header field given by token.xsjs is ‘unsafe’.

The only cookies I can get are something like these:

After an OData request, HANA sends a couple of cookies such as for example xsId49B315EB65C94C55BB6ED9C0CC9F53AB and sapxslb. You can even delete these cookies at client-side, but for each new OData request, HANA continues to send the same cookies until the sessiontimeout is reached. So, to my understanding, the only way to invalidate or delete the cookies is server-side. Typically, other web servers permit to set the session timeout for each application, but HANA does not provide this possibility.

Thanks Thomas. Finally, with a bit of reverse engineering, I make the form-based authentication works.