Posted by Erik Bruchez on Dec 30, 2014; 7:35pm
URL: https://discuss.orbeon.com/Secure-persistence-API-access-tp4659372p4659381.html

The Orbeon-Token header is a randomly-generated token generated by Orbeon. It is used so that when Orbeon performs an HTTP request to itself, the destination knows it comes from Orbeon and not an external, non-trusted party.

This token is not useful for anybody but Orbeon itself.

With Orbeon Forms 4.7, which gets rid of internal requests, it is even of less use, except to protect request to the internal eXist database.

You should be able to forward the session cookies with this property:

     <property as="xs:string" name="oxf.http.forward-cookies" value="JSESSIONID JSESSIONIDSSO"/>

-Erik