Genpact Cora Knowledge Center


Cora SeQuence Session Configuration

V8.7 and later


Starting with Cora SeQuence V8.7, user data is stored using a session authentication module that can be controlled by a new Session element in the  web.config file.
Using ASP.NET Session State object for user authentication persistence,  referred to as AuthenticatedUser, is no longer supported.

The ASP.NET session state is disabled by default in Flowtime installations, but it is still available in Administration installations to support backward compatibility. 

Cora SeQuence session configuration

Cora SeQuence uses a cookie to store users’ state between requests. You can configure the web.config file to control the usage and attributes of the cookie.  

Just like with earlier versions of Cora SeQuence, cookies must be enabled on the client browser to ensure that the Administration and Flowtime sites function properly.

Cora SeQuence generates a unique session cookie name for each site, Administration and Flowtime.


The following table describes the attributes that you can configure for Cora SeQuence session.

Configuration is optional.

enabledSpecifies if the Cora SeQuence session is used or not.
This property is defined in two locations in the web.config file:
  • <web>:  enabled and used for authentication
    • Default value: "true"
  • <location path="SequenceServices">: by default, the session persistence is disabled for SequenceServices location.
lifetime Specifies the time period, in minutes, after which the session authentication cookie expires. Same behavior as in ASP .NET session cookie.

Default value: "20" 

sessionCookiePathStandard browser cookie property.
Restricts the cookie to a specific path.

Default value: ”/”

maxLifetime Specifies the time period, in minutes, for maximum cookie expiration.
maxLifeTime is not a sliding expiration property. For security purposes, login is required after the maxLifeTime period expires, even if the user has been actively using the application during the specified time period.

Default value: "1440" 

sessionCookieSecure Standard browser cookie property.
If set to “true”, specifies that the cookie is sent with the client’s request only over a secure connection (SSL).
Default value: "false"
Note: After initial installation, if you have configured the Cora SeQuence web application to work with HTTPS, you need to change the configuration to send the session cookie using secure connection only.
sessionCookieName Standard browser cookie property.
Contains the prefix of the unique cookie name as it appears in the browser.
The unique name is generated dynamically in runtime for each application, and cannot be controlled in the web.config file. The actual cookie name includes the prefix followed by a unique ID. For example, SQSession_123456.
Default value: "SQSession"
Note:  The default value is SQSession even if not set in theweb.config file with the attribute sessionCookieName=”..”
sessionCookieDomain Standard browser cookie property.
Specifies the cookie domain.

Default value: ""


  • If you used the ASP.NET session state to store and retrieve any data in your Flowtime custom implementation, when you upgrade to V8.7, you need to enable the ASP.NET session state in the web.config file.  
  • In future versions of Cora SeQuence, the ASP.NET session state will be disabled by default in Administration installations too.