Although RESTful applications are ideally stateless, the ALM platform requires sessions to manage locking, client lifetime, and perform other basic tasks. Session management cookies are provided by the first authenticated access to ALM.

Your application should wait for the first authenticated request to return before allowing subsequent server calls. Failure to do so may result in your application having several sessions open. Having more than one session open by an application may interfere with activities that require session-dependent functionality, such as entity locking. In addition, the overhead of opening and maintaining sessions affects server performance.

The same session can be used to access resources of different projects in a site.

If a session expires, all locks are released and other session-dependent functionality expire with the session. Therefore, if an application connects to a new session, discard all data downloaded previously. If you do not, the next PUT operation can overwrite changes made by another user while the entity was not locked.

The time-out for a REST Client session is set with the site administration parameter REST_SESSION_MAX_IDLE_TIME. The default is 60 minutes.