Search code examples
httpsessionxpageslotus-domino

Invalidate / Drop Domino HTTP Session?

As far as I know it is not possible to invalidate or drop a specific (or multiple, say, based on a user name) Domino HTTP Session(s) (darn IMAP). Is there / what would be a proper workaround / mechanism to somehow drop / invalidate Domino HTTP Session(s)?

Some example cases could be:

  • Same user, two sessions, in one of those the user changes the HTTP Password (at this point all other sessions should be immediately invalidated). If he/she continues working / browsing in the other (browser)session (at some point) you get the "authentication failure using internet password" message on your console, and if you're in a bad luck the user gets locked out.
  • Facebook-style; have an overview of your current active sessions. One step further, if they see a suspicious session based on IP/Location, giving them control of invalidating it.
  • A client calls; "I got the feeling my session is hijacked".. First response; "you are a smart user, aren't ya?". Subsequently you want to drop those sessions with that user name (via console or "admin" web interface).
  • ...
Solution

  • You would have to take control of the authentication process, which could be done using the DSAPI interface that is described in the Notes C API documentation. I've only done some pretty minimal DSAPI work myself, but I understand from others who have worked with it extensively that advanced work with DSAPI is definitely not for the faint-hearted. You might want to look into some 3rd party products (e.g. from PistolStar) that may provide at least some of the functionality you are looking for.