Termination of single user sessions
An administrator or a back-end application can use the ISAM administration API to terminate a specific user session based on the user session ID.
See User session ID string format to review the structure of the user session ID string. The pdadmin server task terminate session command is supported in a distributed session cache environment.
The user_session_id portion of the user session ID string can be passed to the ivadmin_server_performtask() function. This function takes an input command string from the standard pdadmin server task terminate session command. For example:
pdadmin> server task instance-webseald-host terminate session user_session_id
The WebSEAL instance name can be obtained from the HTTP iv_server_name header passed in every request. Although we can manually perform this pdadmin operation, the long value of the user_session_id can make this task cumbersome.
WebSEAL verifies the back-end server initiating the terminate operation has appropriate permissions before terminating the user's session. WebSEAL then removes the corresponding session cache entry so the session is terminated.
It is important to consider the conditions under which this command might be used. If the intent is to make sure that a user is removed from the secure domain entirely, the termination of a single user is only effective when, in addition, the account for that user is also made not valid (removed).
Certain authentication methods—such as basic authentication, client-side certificate, LTPA cookies and failover cookies—return cached authentication information automatically with no user intervention. The pdadmin server task terminate session action would not prevent return logins for a user using any of those authentication methods. We must additionally invalidate the appropriate user account in the registry.
Refer to the Administration C API Developer Reference for further information and for ivadmin_server_performtask() syntax.
When a user is logged out unexpectedly because of session termination, the original session cookie remaining on the user's browser becomes an old, or "stale" cookie that no longer maps to an existing entry in the WebSEAL session cache. When the user makes a subsequent request for a protected object, WebSEAL requires authentication and returns a login form. We can customize the login response to contain additional information explaining that the reason for the new login requirement. For further information on this feature, see Customized responses for old session cookies.
Parent topic: Terminating user sessions