Using a SOAP Session

This feature will be removed in a future version of Microsoft SQL Server. Avoid using this feature in new development work, and plan to modify applications that currently use this feature.

To have a SOAP request execute within the context of an existing session, it must specify the following as part of a SOAP session request to the server:

  • The same session ID that was provided by the server previously to the client.

  • The corresponding HTTP endpoint ID for the endpoint where the SOAP session was previously initiated

  • The same user context. This is either a Windows or SQL Server user, depending on the supported LOGIN_TYPE in the SOAP properties for the endpoint.

If the specified session identifier does not exist or is not correctly formed, a SOAP fault message is returned with a sqlSession element in the header with the terminate attribute. Otherwise, the server responds by echoing back the same sqlSession header that the client sent in the request.

If the request is executed under a different security context or endpoint than that which initiated the session, a SOAP fault is returned. In the response, the SOAP fault code for SOAP layer termination will be specified and in the sqlSession header the terminate attribute will be included with a value of true.

Additionally, to prevent a malicious user from determining that a session exists, the terminate attribute is set, and a SOAP fault is returned by the server as the sole response message to any request in which the session identified for enlistment is unknown to the server.

The following example shows enlisting a SOAP session. It shows the format of the SOAP message that a client sends when requesting to enlist in an existing SOAP session. Note that the actual sessionId value will be a session-specific identifier.

    <!-- enlist in an existing session -->
    <sqloptions:sqlSession sessionId="AAAAADreaLE="/>

The server will either echo the message back to the client to indicate the session can be accessed or return a SOAP fault to the client if the session identified in the request cannot be accessed.

Community Additions