My understanding is the accepting SAP Java AS will retrieve cookie information from MYSAPSSO2 and using the certificate from issuing system to authenticate the session.
My question is, is JSESSIONID and other HTTP information used together with MYSAPSSO2 information for session authentication?
What we've observed is, if we delete JSESSIONID from the client cookie, the session is invalid right away, although we don't touch any MYSAPOSS2 information. -> But we're not sure whether this is a behavior of SAP NW Java AS or the IBM Tivoli SSO server which authenticates the access at the first place.
Also, if MYSAPSSO2 is the only information used for authentication, can the session be hijacked if this information is captured by other session?