Skip to Content

​Set the HTTP sessiontimeout for an OData service

Jun 23, 2017 at 01:25 PM


avatar image

Hi all,

I need to specify the http sessiontimeout parameter for some OData services I wrote on HANA 1.0 SP12 and HANA 2.0 SP01. I do not want to modify the global sessiontimeout into xsengine.ini\httpserver, but I want to override it for a specific OData service. How can I do that?



10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Best Answer
Thomas Jung
Jun 26, 2017 at 12:28 PM

You can't set the session time out at the session level. Why are you wanting to override it? In XSC the session is really only for sticky authentication. There isn't really session persistency at the XS level. What exactly is the core problem you are encountering?

Show 5 Share
10 |10000 characters needed characters left characters exceeded

The core problem is described in this post. Basically, I am trying to implement the login/logout mechanism through the basic authentication which should be used by a web app to call OData services. I know that this kind of authentication is not suitable for logout purpose, but I found many obstacles to exploit form-based or saml 2.0 authentications due to the lack of examples/tutorials for HANA 1.0 SP 12, 2.0 and 2.0 SP 01 systems both for XSC and XSA (this is the actual problem!). So, a simple solution I found is to set the sessiontimeout to its minimum (1 second). Doing that my goal is reached, but this solution impacts to all the http sessions because the parameter is global. How can I override it for my OData services only? In the XSC scenario, is it necessary to modify the .xsapp or the .xsaccess files? How?

Since I am stuck on basic authentication, I am currently exploring the possibility to use from authentication, because the token.xsjs, loginxsc.func, and logout.xscfunc are already provided by HANA. In this case, session cookies do not expire after logout and tokens are not always provided, in fact, frequently the value of X-CSRF-Token header field given by token.xsjs is ‘unsafe’.


In XSC there is a browser cookie called XSSESSIONID. If you delete this cookie it should have the same impact as the session timeout. However removing the session won't remove basic authentication headers.


The only cookies I can get are something like these:

After an OData request, HANA sends a couple of cookies such as for example xsId49B315EB65C94C55BB6ED9C0CC9F53AB and sapxslb. You can even delete these cookies at client-side, but for each new OData request, HANA continues to send the same cookies until the sessiontimeout is reached. So, to my understanding, the only way to invalidate or delete the cookies is server-side. Typically, other web servers permit to set the session timeout for each application, but HANA does not provide this possibility.

capture.png (46.3 kB)

Yes these are the session cookies. If you don't return these then a new session is created on the server side. However, as I said earlier, this doesn't remove basic authentication headers.


Thanks Thomas. Finally, with a bit of reverse engineering, I make the form-based authentication works.