cloud-sdk-js
cloud-sdk-js copied to clipboard
SAP
Is there a way in the Node.js Cloud SDK to use session cookies?
Hello SAP Cloud SDK for Node.JS Experts,
as requested by Artem Kovalov in the reply to my question on this topic in the SAP Community I post the question here:
A while ago I've posted the question Slow response times when calling SAP Business One (B1) Service Layer with CAP. In addition to the answer from @TrinidadMG we've got the following answer from SAP Support:
"I just discussed this with someone from Business One to learn more about the problem.
From the discussion in SAP answers i also learned, that the authentication is done for every call to the B1 system. I also learned that the session keeps alive for 30mins, and after that the authentication is slower again, until the new session in B1 has been established.
So from CAP point of view a possible solution would be to keep the session alive with heartbeat requests every 25mins (or even longer intervals like 29mins if the interval scheduler is accurate enough). If you keep the session alive, with a heartbeat request then there will be no slow requests anymore as long as the session gets random requests and stays active.
We actually also do something similiar with our hana layer, there we use generic-pool and keep multiple connections in the pool and if one times out it is just reconnected, so it can be reused when needed.
This however you have to do in a custom implementation and is nothing, that we can offer generically."
Is there an option to solve that via the SAP Cloud SDK?
Regarding the question:
Talking of cookies, do you mean some in memory session cookie to know the timestamp of the last sent request?
I would say yes, that could be the perfect solution to track when the next request without cookies should be sent. Or even better a proactive request is triggered to avoid slow response times in the next request of a real user.
Best regards Gregor
Thank you for moving it here, @gregorwolf. We'll take a look shortly.
Hi @gregorwolf ,
I have some questions.
Q1:
We actually also do something similar with our hana layer, there we use generic-pool and keep multiple connections in the pool and if one times out it is just reconnected, so it can be reused when needed.
So for every connection, you have a session cookie that you can reuse for upcoming requests to avoid heavy authentication flow. Does it mean, every 25m you make a dummy request to get a new session id, which is saved in the response header with the key B1SESSIONID? When you need a connection in your case, is there any configuration for specifying a scope? For example, the scope can be:
- a session id can be shared with all the requests
- session ids are split to two groups for get/non-get requests usages.
- only get requests can retrieve the existing session id
Q2: The client of the SAP Business One is not released, but you can generate it by using our generator. In your case, are you using the generated client or the generic http client? This is related to the API design.
Q3: Do you use the SDK in the frontend/browser or backend system? I'm asking because in the frontend, you can enable the session cookie without any additional effort, so I guess it's backend?
Best regards, Junjie
HI @jjtang1985 ,
thank you for your questions. I try to answer in the best way I can:
Q1:
Currently I do not have any POST requests. For the moment I would say that the session ID could be shared with all the requests. It should be possible to still use the SAP BTP Cloud Foundry Destination configuration:
to avoid any separate credential storage. As you see we're using a fixed destination with basic authentication.
Q2: Right now we use CAP (that is internaly using Cloud SDK) to call the backend. I guess that CAP is using the generic http client.
Q3: See Q2, we're using CAP as the middleware deployed to SAP BTP Cloud Foundry.
Best regards Gregor
Hi @gregorwolf
Thank you for your quick answer.
Does it mean, every 25m you make a dummy request to get a new session id, which is saved in the response header with the key B1SESSIONID?
Maybe you can also confirm my assumption the first part of the Q1 or correct me. Sorry for not splitting it.
Best regards, Junjie
If needed we could schedule such a request to avoid that the user has to wait on the next request. But in principal such a regular request shouldn't be needed when the cookie is correctly refreshed when it changes in the response.
Hi @jjtang1985,
in the meantime I've created the project SAP Business One Service Layer Reverse Proxy. Just today I've sucessfully tested against the real B1 System. The most important learning was that the SAP Business One Service Layer sends back this two cookies:
"set-cookie": [
"B1SESSION=5f8cbf40-72b5-11eb-8000-005056ad3b42;HttpOnly;",
"ROUTEID=.node3; path=/"
],
So it's not only the session but also the routeid that must be passed back due to the load balancing of the service layer.
Best regards Gregor
Hi @gregorwolf ,
thank you very much for sharing the details about the cookie.
The team is aware this feature request and will let you know once there are further updates.
@artemkovalyov FYI. Junjie
Since we have a backlog item for this with an acceptance criteria to update the issue once something is done. However, I am afraid that this issue does not have high priority at the moment. So I would close the issue?
Hi @FrankEssenberger, as the Proxy provides a workaround I will close the issue.