3.1.5.5 Removing Session State
A client can acquire an exclusive lock on session state by using a successful GetExclusive_Request message. The client obtains that lock-cookie value that is associated with a piece of locked session state from the response to a successful GetExclusive_Request message. Although a client can obtain a lock-cookie value from failed attempts to get session state, a client MUST only send a Remove_Request message if the client was able to successfully obtain an exclusive lock through a previous GetExclusive_Request operation.
A client sends a Remove_Request message to request that a specific set of session data be removed from the state server. A state server implementation MUST construct a unique identifier that is based on the values that are contained in the combination of application-identifier, appdomain-identifier, and session-identifier. A state server does not need to interpret these values or assign any specific relevance to them. Rather a state server implementation MUST simply use the combination of those values as the unique identifier for referencing the previously stored session state that is associated with the combination of those identifiers.
The state server MUST compare the lock-cookie value that is associated with the unique identifier, to the lock-cookie value that is sent by the client. If the values match, the state server MUST remove the corresponding session state data and respond to the web server by using a response-ok message, as specified in section 2.2.5.10.
If the lock-cookie values do not match, the state server MUST respond by using a response-locked message, as specified in section 2.2.5.8. The response-locked message contains a lock-age (section 2.2.3.10) and lock-date (section 2.2.3.8) in addition to the value of the current lock-cookie. The lock-cookie is an integer representation of the current lock. The lock-date value MUST contain the date and time that the existing lock was placed on the session state data. The lock-age header MUST contain a representation for the age of the current lock.
If the state server cannot find any session data that is associated with the requested identifier and lock-cookie, the state server MUST respond to the web server by using a response-not-found message, as specified in section 2.2.5.10.
The response-bad-request message, as specified in section 2.2.5.10, is conceptually equivalent to throwing an exception. The session state server MUST send this message if something goes wrong and the server is unable to process the request.