WSAPI sessions are established by passing a valid user ID and password (MD5 hashed) to the WSAPI login service. A successful login returns a session object that must be included in each subsequent service call. All Web service activities are subject to the ACL restrictions of the logged‑in user. WSAPI sessions are tied to the originating client IP, but not to any particular connection or HTTP session.
WSAPI sessions remain active until the session object is sent to the logout service, or the session times out because of inactivity. (The WSAPI session timeout is specified by the wsapi.sessionTimeout property in the formula.properties file.)