HTTP Headers and Cookies

Use HTTP headers and cookies to communicate application connection information or override the default security configuration of the domain.

Headers

X-SUP-DOMAIN – Sybase Unwired Platform domain name to override the domain derived from the URL.
For example, if the “mobile.sybase.com” is the domain name requested in URL, but client wants to use the “mobile.application” domain. In this case, client can send HTTP request where X-SUP-DOMAIN header value will be “mobile.application”.
X-SUP-SC – Security configuration to override domain default security configuration.
For example, “mobile.application” domain has two assigned security configurations: “sc1” and “sc2”, and “sc1” is the default security configuration. By default, the “sc1” will be used to authenticate user. If client wants to authenticate using “sc2”, it can send HTTP request with the X-SUP-SC header as “sc2”.

Note: X-SUP-DOMAIN and X-SUP-SC complement each other but do not necessarily need to be set together. If X-SUP-SC is used, you must associate the security configuration to the domain in which the request is authenticated to allow a successful connection, otherwise a 403 error is returned to the device. If a request refers to a non-existent domain or security configuration, the "default" domain (or "admin") security configuration is used. If the domain is disabled, a 503 error is returned.

Cookies

Cookies are returned by servers in the HTTP response header (Set-Cookie header) and included by the HTTP client (for example, a browser) in the subsequent HTTP request header (cookie header).

X-SUP-APPCID – Communicates the application connection ID as generated by the application the request originates from, or as issued by the server during using the X-SUP-APPCID response header and the permanent X-SUP-APPCID cookie. Sybase Unwired Platform response headers carry the X-SUP-APPCID regardless of whether or not the incoming request carried a cookie or X-SUP-APPCID header. The X-SUP-APPCID value has a maximum length of 128 characters. If the request does not carry an X-SUP-APPCID, the server generates a value automatically.
X-SUP-APPCID is received as a cookie, but sent back to the server either as a cookie or as a header.
X-SUP-SECTOKEN – Cookie generated for anonymous registration.
Security token generated to protect anonymous registered application connection settings not to be changed by other device users.

X-SUP-SECTOKEN is received as a cookie, but sent back to the server either as a cookie or as a header.
X-SUP-SESSID – Actual session ID issued by the server.
X-SUP-SESSID is the actual JSESSIONID issued by the Web container, and is used to mitigate the potential of session hijacking when using regular HTTP for communication with Sybase Unwired Platform protocols. The session cannot be used across Sybase Unwired Platform protocol and REST service. Any request to a REST services using a JSESSIONID associated with a Sybase Unwired Platform protocol will cause the session invalidation, and a new session ID will be issued.

The default session timeout is 30 minutes. If the session times out, or if the client does not send the X-SUP-SESSID cookie in the request, a new session is created on the server.

You can change the default timeout by manually adding the session-timeout configuration into the SUP_HOME\Servers\UnwiredServer\deploy\webapps\httpchannel\WEB-INF\web.xml file, and restarting the server. You must manually modify all the nodes:
```
<web-app>
...
<session-config>
<session-timeout>30</session-timeout>
</session-config>
...
</web-app>
```