4.3.2 Session Key Method

To identify a session with the client, a unique session key is allocated to the session when the session is created. This session key is returned back to the browser.

To identify that a request belongs to a particular session, the browser must pass the session key back to the server with each request. The passing of the session key is done transparently to the rest of the application.

A WAM supports three ways of maintaining the session key in the browser:

1.  It can be stored in a hidden field that is returned for every page.

2.  It can be passed back in a URL.

3.  It can be stored in a cookie maintained in the browser memory. You have a choice of standard cookie or secure cookie. If you choose secure cookies the session key will only be passed via an SSL (HTTPS) connection to prevent any chance of eavesdropping on session key. This implies that an application using secure cookie mechanism must be served to the browser via an HTTPS protocol.

The third method, secure cookies, is considered the most secure because they are the most difficult to steal either visually or programmatically.

The hidden field Session Key Method doesn't work in jQuery Mobile because of the way pages are loaded without doing a full page refresh. Use either the URL or cookie methods instead.