The Transaction server supports authentication mechanisms based on validating credentials, such as certificates, tokens, or user ID and password pairs. Credentials are verified against a user registry that supports such a scheme.

HCL Commerce token

HCL Commerce uses a secure authentication cookie to manage authentication data. An authentication cookie flows only over SSL, and is time-stamped for maximum security. This cookie is used to authenticate the user under SSL-connections whenever a sensitive command is executed, for example, the PrimePaymentCmd, which asks for a users credit card number. There is minimal risk that this cookie could be stolen and used by an unauthorized user.

A second cookie that flows between the browser and server under either SSL or non-SSL connection is used for verification of the user under non-SSL connections.

WebSphere Application Server LTPA token

An LTPA token is a piece of data that contains user information necessary to determine access permissions for a resource that is requested by the user. It contains the authentication data along with the digital signature of the WebSphere Application Server LTPA server.

In the case of the WebSphere Application Server Lightweight Third Party Authentication scheme, an LDAP directory containing the information about the users is the user registry against which authentication is performed. The resource server contacts the WebSphere Application Server Security Server and specifies LTPA to be the authentication mechanism. It also supplies the authentication data associated with the request. The WebSphere Application Server Security Server then validates the authentication data against the LTPA server and returns an LTPA token.