we are trying to set a session module in a external website (iframe) , this one has authentication. what kind of information should a cookie contain so that Qliksense understands which user is connected so that the section access works (data reduction) on the application.
Section Access and the Session module are independent of one another except for that you bind a session to a userdirectory\userid when you send the sessionid value to the QPS rest service. Once you authenticate with Qlik Sense using the same session id the user information was assigned to when the application is opened the userid will be passed in to invoke Section Access.
Sorry I have a problem understanding the logic behind authentication+section access,
how can a user who connects through the extranet get to see the data he's only allowed to see? what information should the cookie of the extranet contain ? and how can Qlik recognise the user through the cookie so that it opens the right application and show his reduced data (section acccess)?
Cookie just needs to have a value that Qlik Sense will reference. When you make the request to the QPS with the cookie value and the userid, that information is stored proxy's session module. When a user access Qlik Sense, the session cookie value you provided tells the proxy who the user is via a lookup basically (some facsimile thereof) and sends that along to the engine. When the user opens the app, the engine reads in the userid where the section access portion of the script performs the data reduction for the user.
Here is an overview for security that may be helpful to you.