How would I retrieve all valid sessions for a specific user? For example, if the user is logged in from multiple devices and decides to change password, or reset password. I need to be able to expire all active sessions and log the user out of all devices. This is specially important if the user is suspecting that his/her account has been compromised and needs to change the password. Currently I can retrieve RMEs but not sessions. I know this is doable from the UI but I need to put this feature in an SDK or API. Is there a curl command to easily achieve this?
Sarah,
Currently there is no endpoint that will let you invalidate all user sessions.You would need the session token of each session and then call the /json/sessions/?_action=logout REST endpoint multiple times (once per session).
That being said you can use the following class to get the list of sessions for a particular user:
com.iplanet.dpro.session.service.SessionCount
You can read the javadoc here.
There are some constraints for using this method though. Session Quota must be enabled. You can enable Session Quota on the admin console by going to Configuration -> Global -> Session page and:
To sum up, you can create your own custom endpoint that will take the User ID and invoke SessionCount.getAllSessionsByUUID(uuid) to get the list of active sessions. After that, you can iterate through the list of sessions and invalidate them one by one.
Hope this answers your question.