8.4. Session-handling in HTTP

Communication over HTTP consists of client requests and server responses (also called exchanges). Unlike in other protocols, for example SSH, these request-response pairs do not form a well-defined, continuous connection. Therefore, PSM assumes that an HTTP request-response pair belongs to a specific session if the following points are true:

  • The IP address of the client is the same

  • The hostname of the target server (not the IP address) is the same

  • The username is the same (if the user has performed inband authentication)

  • The time elapsed since the last request-response pair between the same client and server is less then the session timeout value (15 minutes by default).

PSM creates a separate audit trail and records the accessed URLs for every session. These are displayed on the Search > Search page. If any of the columns is not visible, click Customize columns....

For technical reasons, in authenticated sessions the login page where the user provides the credentials is not part of the session associated with the username. This means that even if the login page is the first that the user visits, PSM will record two sessions: the first does not include a username, the second one does. These two sessions are visible on the Active Connections page (until the unauthenticated session times out).