Session authentication is an authentication method whereby a clients logs in to the server once with username and password and in return receives a time-limited session identifier — typically as a cookie. All subsequent requests pass this identifier instead of the actual access credentials; the server resolves the identifier server-side and thus knows the associated user.
Context
Of the Service Layer SAP Business One consistently works with session authentication. The login call POST /b1s/v2/Login with JSON payload {CompanyDatabase, UserName, Password} takes effect upon success B1 SESSION-Cookie; this will be sent with all further HTTP requests. Sessions expire after a configured period of inactivity and then return HTTP 401 responses — clients therefore need to implement an auto-relogin logic that intercepts 401, logs in again, and retries the original request. Advantages include simple integration (Only cookie management required, no token handling), clear assignment to a B1 company tenant and server-side revocability via Log out. The DI server uses comparable logic with its own SessionID; the SAP B1 Windows client also holds a session against the Company DB.
Demarcation
Session authentication is not a standard like OAuth 2.0 or OpenID Connect: it tightly couples the client and server, makes horizontal scaling and stateless APIs more complex, and is therefore less suitable for public APIs with many consumers. Tokens (JWT, Bearer) carry their validity and claims themselves, making them stateless. Compared to Basic Authentication Is session authentication more secure because credentials are not sent with every request — with the caveat that the cookie itself must be protected (HTTPS, HttpOnly, Safe, SameSite).
SAP KI Vision: The Autonomous Enterprise
Crystal Reports on AI
Why companies are hesitant about AI in ERP
Predictive maintenance: how to turn SMEs into smart factories
RPA in the ERP environment: increasing efficiency through digital process assistants
