HTTP Headers and Cookies

Headers

• X-SUP-DOMAIN – SAP Mobile Platform domain name to override the domain derived from the URL.

  For example, if the “mobile.sap.com” is the domain name requested in URL, but client wants to use the “mobile.application” domain. In this case, client can send HTTP request where X-SUP-DOMAIN header value will be “mobile.application”.

• X-SUP-SC – Security configuration to override domain default security configuration.

  For example, “mobile.application” domain has two assigned security configurations: “sc1” and “sc2”, and “sc1” is the default security configuration. By default, the “sc1” will be used to authenticate user. If client wants to authenticate using “sc2”, it can send HTTP request with the X-SUP-SC header as “sc2”.

  Note: X-SUP-DOMAIN and X-SUP-SC complement each other but do not necessarily need to be set together. If X-SUP-SC is used, you must associate the security configuration to the domain in which the request is authenticated to allow a successful connection, otherwise a 403 error is returned to the device. If a request refers to a non-existent domain or security configuration, 404 error is returned to the device. If the domain is disabled, a 503 error is returned.
• X-SUP-BACKEND-URL – Application can provide the backend request URL via X-SUP-BACKEND-URL header while sending the request to SAP Mobile Server. The server forwards the request to the URL as provided in the X-SUP-BACKEND-URL.

  If the X-SUP-BACKEND-URL header is present in the request, then URL rewrite will be disabled, that is URL rewrite is turned off.

  Note: The URL should be whitelisted in server, else you receive an error.

Cookies

Cookies are returned by servers in the HTTP response header (Set-Cookie header) and included by the HTTP client (for example, a browser) in the subsequent HTTP request header (cookie header).

• X-SUP-APPCID – Communicates the application connection ID as generated by the application the request originates from, or as issued by the server during using the X-SUP-APPCID response header and the permanent X-SUP-APPCID cookie. SAP Mobile Platform response headers carry the X-SUP-APPCID regardless of whether or not the incoming request carried a cookie or X-SUP-APPCID header. The X-SUP-APPCID value has a maximum length of 128 characters. If the request does not carry an X-SUP-APPCID, the server generates a value automatically.

  X-SUP-APPCID is received as a cookie, but sent back to the server either as a cookie or as a header.

• X-SUP-SECTOKEN – Cookie generated for anonymous registration.

  Security token generated to protect anonymous registered application connection settings not to be changed by other device users.

  X-SUP-SECTOKEN is received as a cookie, but sent back to the server either as a cookie or as a header.

• X-SUP-SESSID – X-SUP-SESSID is the actual JSESSIONID issued by the web container. If X-SUP-SESSID is provided in the request header, server bypasses the security configuration check during the session time.

  If the X-SUP-SESSID is not provided, the SAP Mobile Platform performs authentication through security configuration against backend security server.

  The default session timeout is 30 minutes. If the session times out, or if the client does not send the X-SUP-SESSID cookie in the request, a new session is created on the server.

  You can change the default timeout by manually adding the session-timeout configuration into the SMP_HOME\Servers\UnwiredServer\deploy\webapps\httpchannel\WEB-INF\web.xml file, and restarting the server. You must manually modify all the nodes:

  <web-app>
  ...
  <session-config>
  <session-timeout>30</session-timeout>
  </session-config>
  ...
  </web-app>

  Note: The X-SUP-SESSID cookie should be used by load balancers to support server affinity. Based on the X-SUP-SESSID HTTP header, load balancers directly dispatches other client requests to SAP Mobile Platform. For more information, see Requirements for Client Load Balancing in Landscape Design and Integration.