_dynSessConf – Use Of Session Confirmation Number In ATG

Session Confirmation Number In ATG

When using REST services, you want to prevent the processing of malicious site requests. Oracle ATG Web Commerce platform uses a request parameter _dynSessConf, which contains a session confirmation number, to verify that a request is legitimate.

How do we get it ?
The first actor that must be invoked is the Dynamo Session Confirmation actor.The sessionConfirmationActor returns the session confirmation number. The path to this actor is /atg/rest/SessionConfirmationActor and it uses the getSessionConfirmationNumber actor-chain.

Service To Call

curl -L -v -b customer_cookies.txt -H "Content-Type: application/json" "http://localhost:8280/rest/model/atg/rest/SessionConfirmationActor/



How do we use it ?
After getting the session confirmation number we need to send this number in to request parameters. To send this number one way is to send it in query parameters like this..

curl -L -v -b customer_cookies.txt -H "Content-Type: application/json" –d
"{"firstName":\"Joe\", "middleName":\"B\", "lastName":\"Jackson\",
"email":\"jsmith@example.com\", "daytimeTelephoneNumber":\"617-637-8687\",
"homeAddress":{"atg-rest-class-type":"java.util.HashMap", "atg-rest-values":
{"address1":\"127 Main Street\", "address2":\"Suite 100\", "city":\"Cambridge\",
"state":\"MA\", "country":\"USA\", "postalCode":\"02046\", "phone":
\"555-111-3333\"}} }" "http://localhost:8280/rest/model/atg/userprofiling/

Important – When we need it ?
_dynSessConf is mandatory when we are making a call to web service which internally invokes Form Handler so in this case session confirmation number is required. Like in above Update Profile call.

  • aashish patel

    you can disable/enable this feature from
    – DAFDropletEventServlet.enforceSessionConfirmation (Globally for all the components)
    – /atg/dynamo/service/actor/Configuration.enforceSessionConfirmation (REST module level only)
    – Setting CheckForValidSession to false using rest actor-chain definition file for a form-handler or component or using form-handle in a jsp.

    • Yes we can disable if we want. Thanks for sharing.