Please help to answer

(For web-based user access): Describe the application session management mechanism.

Provide details on what information is contained in cookies, how they are protected, how session IDs look like (format) and what randomization algorithm is used to generate them.

(For web-based user access): Is the Session ID changed on login and on re-authentication?

Release : 11.3.6

Component : WORKLOAD CONTROL CENTER

1) Describe the application session management mechanism. 
2) Provide details on what information is contained in cookies, how they are protected, 
3) how session IDs look like (format) and what randomization algorithm is used to generate them.

======================================
Ans:

In AutoSysWebUI, the session-management happens at Tomcat level.
In order to access the web-application funtionality, end-user should have valid EEM credentials and should login successfully.
Without logging in to the application, if a user tries to access any of the product urls directly, product will redirect them to the login page.

From r12.0 and above product gets installed with "HTTPS" only, it doesn't allow accessing product with HTTP protocol/URL.
The prior installers of AutoSysWebUI (< r12.0) though the default is HTTPS protocol but end-user can change the option to use HTTP protocol as well.
If customers have installed AutoSysWebUI with HTTP in prior release and upgrade to r12.0 or above, the protocol would still be what they opted during 
the earlier installation. But we strongly recommend to use/configure HTTPS protocol with the product to secure the access. We do have a section in
 documentation ("Customize Secure Access to CA WCC") that talks about how to update product to use HTTPS than HTTP protocol.

Note: The default sessionTimeout is 60mins and this can be governed through "Configuration Tab | Preferences | Configuration (dropdownitem) | Session Timeout".

When end-user provides user/password in Login page, product uses gwt-crypto (public/private key) 
java-script module to encrypt the given credential using "RSA/ECB/PKCS1Padding & BCFIPS" algo/provider with public-key and 
send it to Tomcat over HTTPS channel. Tomcat server will then decrypt credentials using private-key and pass it for 
authenticate with EEM using JAVA SDK. On successful authentication, in return the Tomcat sends the eem-token to client 
in "Secure Cookie" (HttpOnly: secure). This "HttpOnly:secure" cookie is sent in subsequent requests by client, to be validated by Tomcat.

An example cookie with sessionid looks as follows
Set-Cookie: WCC-ASID=089357551958BB862D45D2ED72C355808391568B5FB1865494EB37934CE66DFC.10.255.1.45; Path=/wcc; HttpOnly; secure

As a second level security, product uses CSRFGuard library to generate onetime page-level tokens which are valid in that 
particular session until logout and will not work for other sessions.

======================================
4) Is the Session ID changed on login and on re-authentication?
======================================
Ans:
Yes the session-id changes between logins/re-authentication's