Termination of all user sessions
An administrator or a back-end application can use the ISAM administration API to call the pdadmin command that terminates all sessions for a specific user based on the user's login ID.
For example:
pdadmin> server task instance-webseald-host terminate all_sessions login_idThe pdadmin server task terminate all_sessions command is not supported in a distributed session cache environment. Use the dscadmin session terminate command instead.
The user's login ID (login_id) can be passed to the junctioned back-end server in the ISAM iv-user header. To accomplish this task, we must initially create the junction using the -c iv_user option and argument. See Client identity in HTTP headers (-c).
The WebSEAL session cache is organized to cross-reference the user's login ID, the WebSEAL session ID, and other cache entry information. A user always has the same login ID across multiple sessions. Each WebSEAL session ID, however, is unique. The pdadmin server task terminate all_sessions command removes all cache entries belonging to a specific user's login ID.
WebSEAL checks for appropriate permissions on the initiator of the pdadmin command before terminating user sessions.
It is important to consider the conditions under which this command might be used. If the intent is to make sure a certain group of users are removed from the secure domain entirely, the pdadmin server task terminate all_sessions command is only effective when, in addition, the accounts for those users are made not valid (removed).
Certain authentication methods—such as basic authentication, client-side certificate, LTPA cookies and failover cookies—return cached authentication information automatically with no user intervention. The pdadmin server task terminate all_sessions command would not prevent return logins for users using any of those authentication methods. We must additionally invalidate the appropriate user accounts in the registry.
When a user is logged out unexpectedly because of session termination, the original session cookie remaining on the user's browser becomes an old, or "stale" cookie that no longer maps to an existing entry in the WebSEAL session cache. When the user makes a subsequent request for a protected object, WebSEAL requires authentication and returns a login form. We can customize the login response to contain additional information explaining that the reason for the new login requirement. For further information on this feature, see Customized responses for old session cookies.
Parent topic: Terminating user sessions