Skip Navigation

Session Management

The Digital Connect services have been designed as a set of stateful JSON services, which can be consumed directly from code running directly in a web browser. 

Your first request will create a session and return session-identifying information. To maintain the session in subsequent requests, you simply pass the session-identifying information. Some of it is passed in your HTTP headers and some in URL parameters, this is explained in detail in session creation section. This section provides details of obtaining and using the session-identifying data. 

Session Data

APIs used to create a reservation and fulfill (Shop & Book, see following link) have slight differences in cookies compared to those that support the servicing of an existing reservation (Post-Booking, see following link), where applicable, these differences have been specified. 

Session data consists of the following items:

JSESSIONID Cookie

A value generated by the initial request to the server. For example a flight search request (/products/air/search) without a JSESSIONID cookie will trigger creation of a new session and will be returned JSESSIONID key in Set-Cookie response header. This value is used by the application server. To maintain the session, pass this value in all subsequent requests.

Example (Shop & Book API):

Cookie: DCSESSIONID=5391a154-0600-4a45-aafb-6cf56aee551e

Example (Post-booking API):

Cookie: JSESSIONID=8A53D60D47E457ECF7DB5547AE001D03 

WLPCOOKIE Cookie (Specific for Post-booking API)

A value generated by the initial request to the server. For example a flight search request (/products/air/search) without a JSESSIONID cookie will trigger creation of a new session and will be returned JSESSIONID key in Set-Cookie response header. This value is used by the load balancer.

Example from an output header:

Set-Cookie: WLPCOOKIE=sswhli4553; Expires=Tue, 22-Sep-2015 16:10:50 GMT; Secure; HttpOnly

Note: The expiration date returned in the header is a recommendation. While it is possible to still use the cookie’s value after the expiration date, it is recommended to not include this cookie in the user sessions that are created after the expiration date – this helps to ensure proper balancing of loads in the Digital Connect server farm.

SSWGID Cookie (Specific for Post-booking API)

This is a tracking cookie that supports Digital Connect’s analytics capabilities.

Example from an output header:

Set-Cookie:SSWGID=8AFC582B7C0D4C5F9CBDCC4C0D41A62D; Expires=Mon, 17-Nov-2025 20:38:09 GMT; Path=/; Secure; HttpOnly

AWSALB Cookie

Registers which server cluster is serving the visitor. This is used in context with load balancing, in order to optimize the user experience.

AWSALBTG Cookie

The ASWALBTG cookie is generated by the load balancer. Once the load balancer routes the client's request to one of the servers, it generates a new cookie and sends it to the client in the response header.

Execution ID

Its value is the execution key of the current conversation, and it should be included as URL parameter in all subsequent web service requests within the scope of the conversation. It is possible to open multiple conversations with an HTTP user session, for example when one passenger is creating multiple independent bookings in the session.

Consider the differences between formats depending on the type of API:

Example of an execution id as a URL parameter in an HTTP request:

https://<someurl.com>/api/products/air/search?execution=e1s1

Shop & Book API execution id sample value:

a295a7c2-3ea8-4752-b537-23fd9057fd34

Post-booking API execution id sample value:

e1s1.

Application-ID

This is a static value assigned for each customer application that needs to be included as a header in each request sent to Sabre services gateway.

Session Lifecycle

The basics of Digital Connect session lifecycle are listed below:

  • User sessions are created implicitly when a request is sent without a DCSESSIONID/JSESSIONID cookie or an execution key parameter in the URL to Post-booking and Shop & Book services which initiate the transaction/flow.
  • Sessions are not explicitly deleted but are removed automatically after expiration due to inactivity for a predefined amount of time (configuration option sat.session.timeout, which is typically 20 minutes of inactivity).
  • Executing any service within the scope of a session (by passing session identifiers in a request) automatically resets the session expiration time.
  • Execution of Digital Connect Web services happens within a conversation. A conversation exists in the scope of a user session and is identified by the execution key. This approach allows – if there is such a need – to maintain multiple independent transactional flows for the same user, within a single user session. Use of this functionality is optional.

Notes  

  • The number of independent execution flows (conversations) initiated by a user in one session, is limited by application property dc.conversation.limit and defaults to 10. If user triggers new flow creation beyond this limit, the least recently used flow is cleaned from the session and the newly created flow will be added in the session. The use of already cleaned-up flow again within the same session results in error. If the removed flow is already in progress, it throws an error and ends.
  • When sending or receiving cookies the standards outlined in RFC 6265 need to be followed. Specifically the caller needs to be prepared to handle (ignore) Set-Cookie headers that clear a cookie – have an empty string as a cookie value or expiration date from the past, for example:
Set-Cookie: WLPCOOKIE=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/SSW2010; Secure; HttpOnly

The WLPCOOKIE belongs to Post-booking API scope and is no longer needed for Shop & Book API.

Session Creation

To create a session, send a /products/air/search request without cookie headers.

HTTP request

Sample request:

POST https://<someurl.com>/<apicontextpath>/products/air/search

The request headers have to contain the following:

Content-Type: application/json 
Accept: */*
Accept-Encoding: gzip, deflate

HTTP response

The responses will contain the values that you can use to maintain the session, the execution ID, the JSESSIONID, the WLPCOOKIE, and the SSWGID.
HTTP headers are case-insensitive.

Shop & Book session creation response example:

Execution: a295a7c2-3ea8-4752-b537-23fd9057fd34 
Access-Control-Expose-Headers: Execution 
Access-Control-Allow-Headers: Execution 
Access-Control-Allow-Origin: * 
Access-Control-Allow-Methods: GET, POST, OPTIONS, HEAD, PUT, DELETE 
Access-Control-Allow-Credentials: true 
Vary: Accept-Encoding  
Set-Cookie: DCSESSIONID=5391a154-0600-4a45-aafb-6cf56aee551e; Max-Age=900; Expires=Thu, 23-Feb-2023 13:13:15 GMT; Path=/; Secure; HttpOnly 
Content-Encoding: gzip  
Content-Type: application/json  
Content-Length: 2125  

Post-booking session creation response example:

Execution: e4s1 
Access-Control-Expose-Headers: Execution 
Access-Control-Allow-Headers: Execution 
Access-Control-Allow-Origin: * 
Access-Control-Allow-Methods: GET, POST, OPTIONS, HEAD, PUT, DELETE 
Access-Control-Allow-Credentials: true 
Vary: Accept-Encoding  
Set-Cookie: JSESSIONID=9D7CB644D22ECAF84B7A5EA88F48FC2D; Path=/SSW2010/; Secure; HttpOnly 
Set-Cookie: WLPCOOKIE=sswhli4553; Expires=Tue, 22-Sep-2015 17:40:49 GMT; Path=/SSW2010; Secure; HttpOnly 
Content-Encoding: gzip  
Content-Type: application/json  
Content-Length: 2125  
Date: Tue, 22 Sep 2015 15:33:11 GMT  

The execution ID identifies the initial conversation within the session.

To maintain the session (or a conversation within the session), pass these values in subsequent requests.

Session Use

To execute a request within the scope of an existing session and conversation, include the user conversation and session coordinate in the HTTP Cookie header(s) and the execution ID as the URL parameter execution:

Shop & Book example:

<HTTP method name> https://someurl.com/<serviceName>?execution=<executionID>
Cookie: DCSESSIONID=<DCSESSIONID value>;

Post-booking example:

<HTTP method name> https://someurl.com/<serviceName>?execution=<executionID>
Cookie: JSESSIONID=<JSESSIONID value>; WLPCOOKIE=<WLPCOOKIE value>

The execution ID may be used in any service – including air shopping. In such case results of shopping call in the scope of the user conversation are overwritten.

An example that uses the session coordinates and conversation created in the preceding section follows.

HTTP request

The request includes the execution ID.

The request headers include the JSESSIONID and WLPCOOKIE values for the Post-booking API. For Shop & Book API, only DCSESSIONID is needed.

Shop & Book request example:

POST https://airline.api.cert.platform.sabre.com/v4/dc/products/air/search?jipcc=XXXX&execution=a295a7c2-3ea8-4752-b537-23fd9057fd34 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 
Origin: chrome-extension://hgmloofddffdnphfgcellkdfbfbjeloo 
Content-Type: application/json  
Accept: */* 
Accept-Encoding: gzip, deflate 
Accept-Language: en-US,en;q=0.8 
Cookie: DCSESSIONID=5391a154-0600-4a45-aafb-6cf56aee551e; 

Post-booking request example:

POST https://airline.api.cert.platform.sabre.com/v4/dc/pnr/mto/products/ancillaries?jipcc=XXXX&execution=e1s1 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36 
Origin: chrome-extension://hgmloofddffdnphfgcellkdfbfbjeloo 
Content-Type: application/json  
Accept: */* 
Accept-Encoding: gzip, deflate 
Accept-Language: en-US,en;q=0.8 
Cookie: JSESSIONID=9D7CB644D22ECAF84B7A5EA88F48FC2D; WLPCOOKIE= sswhli4553 

HTTP response

The response includes the execution ID.

Execution: e4s1
Access-Control-Expose-Headers: Execution
Access-Control-Allow-Headers: Execution
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS, HEAD, PUT, DELETE
Access-Control-Allow-Credentials: true
Vary: Accept-Encoding 
Content-Encoding: gzip 
Content-Type: application/json 
Content-Length: 2125 
Date: Tue, 22 Sep 2015 16:33:11 GMT 

In the case of Shop & Book service response, the main difference is the format of the execution id: 5391a154-0600-4a45-aafb-6cf56aee551e. 

Other cookies like AWSALBTG, AWSALBTGCORS or AWSALB need to be sent in the same way for both flavors if appear. 

Conversation Creation

To create a new conversation in the scope of an existing user session, send a request that supplies the user session coordinates in the HTTP Cookie header(s) but omits the execution ID URL parameter.

<HTTP method name> https://<someurl.com>/<serviceName>
Cookie: JSESSIONID=<JSESSIONIDvalue>; WLPCOOKIE=<WLPCOOKIEvalue>

An example using the session coordinates from the previous section follows.

HTTP request

The request omits the execution ID.

POST https://wl19-int.sabresonicweb.com/SSW2010/D5DE/api/products/air/search

As before, the request header contains the session coordinates.

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
Origin: chrome-extension://hgmloofddffdnphfgcellkdfbfbjeloo
Content-Type: application/json 
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: JSESSIONID=9D7CB644D22ECAF84B7A5EA88F48FC2D; WLPCOOKIE= sswhli4553

HTTP response

The response contains the execution ID for the newly created conversation.

Execution: e5s1
Access-Control-Expose-Headers: Execution
Access-Control-Allow-Headers: Execution
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS, HEAD, PUT, DELETE
Access-Control-Allow-Credentials: true
Vary: Accept-Encoding 
Content-Encoding: gzip 
Content-Type: application/json 
Content-Length: 2125 
Date: Tue, 22 Sep 2015 16:33:11 GMT