The SessionAuthenticationTokentype is an opaque identifier that is used to identify requests associated with a particular Session. This identifier is used in conjunction with the SecureChannelIdor Client Certificateto authenticate incoming messages. It is the secret form of the sessionIdfor internal use in the Clientand Server Applications.
A Serverreturns a SessionAuthenticationToken in the CreateSessionresponse. The Clientthen sends this value with every request which allows the Serverto verify that the sender of the request is the same as the sender of the original CreateSessionrequest.
For the purposes of this discussion, a Serverconsists of application (code) and a Communication Stackas shown in Figure 37. The security provided by the SessionAuthenticationToken depends on a trust relationship between the Serverapplication and the Communication Stack. The Communication Stackshall be able to verify the sender of the message and it uses the SecureChannelIdor the Client Certificate to identify the sender to the Server. In these cases, the SessionAuthenticationToken is a UInt32 identifier that allows the Serverto distinguish between different Sessionscreated by the same sender.
Figure 37– Logical layers of a Server
In some cases, the application and the Communication Stackcannot exchange information at runtime which means the application will not have access to the SecureChannelIdor the Certificate used to create the SecureChannel. In these cases the application shall create a random ByteStringvalue that is at least 32 bytes long. This value shall be kept secret and shall always be exchanged over a SecureChannelwith encryption enabled. The Administrator is responsible for ensuring that encryption is enabled. The Profilesin OPC 10000-7may define additional requirements for a ByteString SessionAuthenticationToken.
Clientand Serverapplications should be written to be independent of the SecureChannelimplementation. Therefore, they should always treat the SessionAuthenticationToken as secret information even if it is not required when using some SecureChannelimplementations.
Figure 38illustrates the information exchanged between the Client, the Serverand the Server Communication Stackwhen the Clientobtains a SessionAuthenticationToken. In this figure the GetSecureChannelInfo step represents an API that depends on the Communication Stackimplementation.
The SessionAuthenticationTokenis a subtype of the NodeIddata type; however, it is never used to identify a Nodein the AddressSpace. Serversmay assign a value to the NamespaceIndex; however, its meaning is Serverspecific.