0

Before I start here: this is a duplicate from another post at serverFault.com ("https://serverfault.com/questions/1009946/hcl-domino-how-to-drop-users-logged-in-with-ltpatoken"); I first felt that would be the place to ask, but since I never got an answer I decided to try once more here.

We are running a Domino server (V 10.0.1 FP3) hosting a number of Xpages applications. Apart from the admins all users are accessing those application through http only (i.e., no nrpc / Notes client access).

The users' person data are synched from AD to Domino via TDI. Authentication is done against the company's AD, this is configured through a Web SSO config document. There however is no complete SSO set up so that users will have to authenticate when first accessing the applications through their browsers.

For application related reasons we set the Ltpa token's expiration time to a rather high value (if necessary I am willing to discuss the reasons for that in a separate thread, but this is not really related to this question here).

Here's a screenshot of the config page:

Screenshot: Web SSO Configuration

Domino's http task is restarted every morning at 2:30 through a program document issueing

restart task http

Some observations from that server:

  1. an http restart apparently doesn't invalidate the tokens, i.e. once the http is back up a user who kept the browser open can easily continue accessing the applications without having to re-authenticate (within the expiration time frame). (EDIT): This appears to be true even if the entire domino server is restarted
  2. if users simply close their browsers instead of correctly logging off the tokens at the server side aren't removed (again, as long as they don't expire). If then the user logs on again a 2nd /3rd / 4th token for this user appears server-side
  3. there's apparently no direct way to drop a user session, neither through a simple drop console command nor through admin client actions

Question: are there ways to drop those user sessions from the server side and/or truly invalidate the tokens?

Basically, what I'm looking for is a way to make sure that users have to re-authenticate every morning. As http is restarted at 2:30 every morning (see above) it would be ideal to also do this at or around that time.

For completeness: for this server we use an Internet site document which is setup like this:

Internet Site config

Any hint is very welcome.

Lothar Mueller
  • 2,528
  • 1
  • 16
  • 29
  • Can you explain (or show a screen-shot to illustrate) "If then the user logs on again a 2nd /3rd / 4th token for this user appears server-side". I'm not aware of a way to view tokens on the server-side, but I'm a few versions behind on my Domino admin knowledge. AFAIK, tokens are just cookies. They are self-contained and once issued by the server, they are valid without the server having to keep track of them. It just reads them when they come, decrypts them in to assure that they are valid and unexpired. – Richard Schwartz Apr 14 '20 at 14:50
  • there are 2 ways to see which user is currently known to the server as an Internet user: a) through admin client > Server > Status > Internet Users b) from console through "tell http show users" If you log in to your Domino server from 3 different browsers using the same credentials you'll be listed 3 times. This is no surprise, really. But: reading this passage again I realize that it doesn't really have to do with my problem in the first place. So it might have been confusing... – Lothar Mueller Apr 14 '20 at 16:20
  • Basically this boils down to the fact that the server apparently has no means to extend the validity of a token issued to a browser. If that was possible we could easily reduce the initial validity to say 2 or 3 hours, and if the user is active during that time span validity is extended... – Lothar Mueller Apr 14 '20 at 16:22
  • 1
    Yes, I suspected you might have been referring to the Internet Users/tell http show users output, and as you have come to realize, this isn't related to unique tokens. And yes, I believe you're right about the way the tokens work, at least as far as the native functionality is concerned. I think it might be possible to do what you want by developing a DSAPI extension using the Notes C API, but that would be a huge amount of work and there are very few people who have experience with it. (I did one small DSAPI project 15 years ago, and I don't remember any details -- but there were a lot!) – Richard Schwartz Apr 15 '20 at 02:49

0 Answers0