The WebContext is an abstraction do deal with the HTTP request and response.

To specifically deal with the session, it relies on a SessionStore which may be available via the getSessionStore method.

The SessionStore has the following methods:

• getOrCreateSessionId: gets or creates the session identifier and initializes the session with it if necessary
• ` get`: gets the attribute from the session
• set: sets the attribute in the session
• destroySession: destroys the underlying web session
• getTrackableSession: get the native session as a trackable object (for back-channel logout)
• buildFromTrackableSession: builds a new session store from a trackable session (for back-channel logout)
• renewSession: renews the native session by copying all data to a new one.

For example, the J2EContext currently uses the J2ESessionStore which relies on the J2E session. In Play, we have a specific cache-based PlayCacheSessionStore as well as in Knox, which has a cookie-based KnoxSessionStore.

The ProfileStorageDecision defines the decisions related to the profile, whether we must read it from and save it into the web session. It is used by the DefaultSecurityLogic:

• by default, the DefaultProfileStorageDecision is set, which is appropriate for a web application which only uses indirect clients or direct clients
• for a web application using both indirect and direct clients and mixing authentications, the AlwaysUseSessionProfileStorageDecision should be used.