You create a login session when you log in to the appliance through the browser or some other client (for example, using the REST API). Additional requests to the appliance use the session ID, which must be protected because it represents the authenticated user.

A session remains valid until you log out or the session times out (for example, if a session is idle for a longer period of time than the session idle timeout value).