APPSRV Procedure

SESSION Statement

Controls how a session is administered by the Application Server

Syntax

Optional Arguments

INIT=program-name
specifies programs to be run when a session is created and destroyed (including those that expire by timing out). By default, no program is run at the creation and destruction of a session. The program names referenced here must be in the same format as the _PROGRAM variable. Also, the libraries or files that contain these programs must be allocated in a previous ALLOCATE statement.
INVSESS=program-name
specifies a program that is to be run in the place of the requested program if the session that is specified by _SESSIONID does not exist. This can happen if the session expired or if the session ID was modified by the client. Two special macro variables are created for the invalid session program. The _USERPROGRAM variable contains the name of the program that was requested by the user. This is the value that is specified by the _PROGRAM variable in the original request. The _INVSESSREASON variable has NOSESSION as its value, which means that the session specified by _SESSIONID does not exist.
The invalid session program can be used to display an informative response when a user session has expired or is otherwise inaccessible. The response can redirect the user to an application login screen, explain how to restart the application, or provide a friendlier error message.
TERM=program-name
specifies programs to be run when a session is created and destroyed (including those that expire by timing out). By default, no program is run at the creation and destruction of a session. The program names referenced here must be in the same format as the _PROGRAM variable. Also, the libraries or files that contain these programs must be allocated in a previous ALLOCATE statement.
Remember that when you delete a session, it is marked for deletion only. A session is not deleted until the cleanup routine runs. A user creates a session only once throughout an application. The user can reuse the session, but deletion of the session does not occur until the end of the application.
In the following example, a user creates a session and then deletes that session. When the user tries to create a new session in the same test program, they get a warning.
testa.sas (creates session1 -> calls testb.sas)
testb.sas (uses session1 -> deletes session1 -> creates new session2)
The user cannot create session2, because session1 is still being used. Furthermore, after a session is marked for deletion, another user cannot access that same session, even before the cleanup process runs.
TIMEOUT=seconds
specifies the number of seconds that elapse before a session expires. The default session time-out is 900 (15 minutes). This value can be changed in a request program by calling the Application Dispatcher APPSRVSET function. An Application Server does not honor a pool service idle time-out stop request from the Load Manager until all sessions have expired.
MAXTIMEOUT=seconds
is the maximum number of seconds that a time-out can be set to using the APPSRVSET function. For more information about setting the session time-out from a request program, see the SAS/IntrNet Application Dispatcher documentation for the APPSRVSET function.
VERIFY=(variable-1 <...variable-n>)
is a space-delimited list of variable names. A session reconnect is a request for a _SESSIONID for an existing session. For enhanced security, the Application Server can verify other request variables in addition to validating the _SESSIONID for all session re-connects. For example, the Application Server can ensure that the variable _RMTUSER is the same for all session re-connects. This makes it more difficult for one client to steal another client's URL and access the first client's session information. Enclose the list of variables in parentheses.