This may be useful for any of your customers that ask about some security aspects of the Service Manager web client.
The current SM Webtiers(version 7 and above) have the ability to change the session id after login. You can trace this using a browser add-on like HTTPHeaders or httpWatch (if you have the full-paid version). Look for the JSESSIONID cookies that get created during the login process. You will see that the app server where SM webtier is running provides a unique JSESSIONID when they hit the index.do/ess.do login page. Then the JSESSIONID is changed after the user hits the “Log in” button.