Skip to Content
Author's profile photo Former Member

Session id issue and solution for public applications on HANA

HANA is all-sufficient as a platform. It has everything out of the box to develop applications – DB, XS Engine, SAPUI5.

Even if HANA mostly considered for enterprise application’s development it is also can be used as a box for public web applications/sites as well.

In this text below  I’m going to talk about some points to have in mind when you start doing non-enterprise systems on HANA.

So what is usual web application in terms of user access?

  1. everybody can access it
  2. soon or later you will be forced to login into application somehow to get the service
  3. login via social networks is widely used and can be considered as de-facto standard

Lets look at what is HANA proposes in user access area. Currently HANA supports following authentication methods:

For non-interactive logon:

    1. X509 authentication
    2. SPNego
    3. SAP logon ticket
    4. Basic authentication

For interactive logon:

    1. SAML
    2. Form-based authentication

And ‘None’ for public applications.

This is one more proof for the statement ‘HANA is still mostly enterprise-oriented’ 🙂

The only thing we can take from the above list for out use case is ability to make public applications. All the rest must be done manually.

Custom session management (login step) can look like:


I think it is clear that during any next call from UI to backend sessionId must be provided as a cookie and validated on HANA server.

This approach is nice but there is one issue here – sessionId generation.

Lets think how we can do that. Actually there are two ways: do it on our own or try to reuse token/cookies from social network.

Expanding first way we can:

  1. on client side:
    1. Math.random()
    3. other jQuery/JS plugins, libs
  2. on XS Engine side:
    1. same as in #1 except jQuery(unless you ported jQuery on XS 🙂 )
  3. on HANA side:
    3. some magic like: populate table with ‘random’ values via #1 or 2 and ‘randomly’ select from this table

With all of these points there is one huge issue – they are not designed to be used as session Id generators. They are producing values with low entropy.

This contradicts to basic requirements for session id generation (some details can be found here).

Moving to second way. Reusing token/cookie (provided by social network) directly is not really good idea as well. Because for example it can change over the time (Facebook can validate current FB cookie and issue new one still pointing to the same user’s session). All we can do here is add some salt and apply hash function. We could 🙂 if were provided with api by HANA team 🙂

So there is no direct, obvious way to generate reliable, strong sessionId from HANA applications code. But there is tricky workaround as usual 🙂

Approach is the following:

  1. create destination pointing to localhost
  2. create empty password-protected xsjs service
  3. create technical user with access to package with password-protected service
  4. call protected service via destination passing userName/password
  5. extract sessionId (and csrf protection token if needed) from response cookies/headers

As simple as that 🙂

Simplest implementation can look like:


utils.xsjs listing:

function generateSessionIdAndToken() {
    var destination = $.net.http.readDestination("training.dlapanik.SessionId", "localhost");
    var client = new $.net.http.Client();
    var request = new $.net.http.Request($.net.http.GET, "/training/dlapanik/SessionId/private/getSessionId.xsjs");
    request.headers.set("Authorization", "Basic U2Vzc0lkVGVjaFVzZXI6SW5pdGlhbDIzNA===");
    request.headers.set("X-CSRF-Token", "Fetch");
    client.request(request, destination);
    var response = client.getResponse();
    if (response.status === $.net.http.OK) {
        $.response.status = $.net.http.OK;
        return {
            sessionId : response.cookies.get("xsSessionId"),
            csrfToken : response.headers.get("x-csrf-token")
    } else {
        return {
            status : "not OK:" + response.status

Here we see pure XSJS Outbound API usage.

There only question can occur is about header with name ‘Authorization’. Actually this is the way to pass user name/password into the service call. The value you see after ‘Base’ is base64 function from user/pass combination. For example for SessIdTechUser:Initial234 you will get value U2Vzc0lkVGVjaFVzZXI6SW5pdGlhbDIzNA==. I used Base64 Decode and Encode – Online to create authorization token providing <user_name>:<password> as input.

Full project code can be found on github. Please note that example will work in case you activate it into ‘training.dlapanik’ package. In case package is diferent please adjust the code.

All in one slide:


To test launch http://<host>:<port>/training/dlapanik/SessionId/utils.xsjs, will get json object like


So summarize: in this article we saw how to ‘ask Hana’ to generate sessinoId value for public non-enterprise HANA applications.

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.