There is no guarantee that each invokation of a ServerRoutine will use the same connection.
HTTP (and HTTPS) are STATELESS Protocols, so the Webserver effectively considers the connection DEAD once the server routine ends.
In certain situations, it may well appear that the same connection gets re-used, but as i said, there is no guarantee, so i would avoid it if you can.
if you are using HTTPS, then you can set the SessionMethod to 'SecureCookie', this will be a SECURE cookie that gets set when you do #com_owner.StartSession.
you can capture the cookie using the webserver (and even try get_cookie).
If you are a LANSA employee -- please PM me and i can take you through how we secure a website using Portalize.
If you are not, perhaps speak to your LANSA rep about seeing a demo of portalize.
Portalize has been penetration tested, and is robustly secure (even to the point of being able to BAN IPs that make repeated incorrect attempts).
There is a lot you can do, and some bits that are difficult to do...
I would also suggest, that where possible, using oAuth2 for your user validation can be beneficial (essentially you are handing off the user validation to a third party that does security well (eg. Microsoft AzureAD or Google are ones that i have used). A side-benefit is that users that are already logged in to the Microsoft AzureAD will be able to get a token without re-entering their passwords. Typically oAuth2 'setup' requires that you specify to the provider how long a token is valid for... meaning that you can always check if the token is still valid before carrying out a server routine.