Session management mechanisms
Session managementinvolves the creation or definition of session identifiers on login, the setting of inactivity timeouts, session expiration, and session invalidation on logout; also, it may extend to authorization checks depending on the user's privileges, as the session ID must be linked to the user.
Sessions based on platform authentication
When platform authentication is used, the most common approach used is to work with the header that is already included, containing the credentials, or challenge the response as the identifier for a user's session, and to manage session expiration and logout through the application's logic; although, as stated previously, it's common to find that there is no session timeout, expiration, or logout when platform authentication is in place.
If Kerberos is used, the tokens emitted by the AS already include session information and are used to managing such session.
Session identifiers
Session identifiers are more common in form...