This is not easy to answer, so let me walk you through the flow in QlikView and talk about the life of the different sessions in QlikView.
Let’s start at the browser. The most common way of maintaining a session in the web layer is session cookies. Session cookies is a small set of information that the browser will send with every request in a session. Session cookies is also what QlikView uses to maintain the web layer sessions. So once authenticated, QlikView knows who you are and will assign a random set of characters, stored in a session cookie in the browser, to identify your future requests to QlikView.
The session cookie will identify your requests until you either log out or your session times out from inactivity.
The web session is the first session you will encounter using QlikView. The second session is the QlikView server session.
So what is a QlikView server session? Think of the QlikView server session as the place where QlikView keeps track of what you are doing in a document. The session is identified by a user’s access to one document. As you click in the document, your state will be recorded in the session. Your session is maintained in memory while you are active in the document and a bit longer. When a QlikView server session times out, the state is written to disc. If you come back to the same document later you can continue exploring at the same place you left off.
So when are the different sessions used?
If you use the AJAX client, both sessions are used. If you lose your web session you will have to re-authenticate to get a new session and if the QlikView server session times out you will have to reconnect.
If you use the thick client or the plugin, these talk directly to the QlikView server and therefore only use QlikView Server sessions.
The timeouts can be configured: the timeout configuration you do in the QMC is related to the QlikView Session; whereas the timeout values for the web session only are configurable in the local configuration file for the web server.
So now you know how sessions are used in QlikView. Even though this is not directly related to security, it will help you understand concepts like load balancing, web tickets and authentication in QlikView.
I hope you found this information useful, if you have any other subjects related to security that you like me to write about please leave a comment.