Termination of all user sessions

Edit online

An administrator or a back-end application can use the Verify Identity Access administration API to call the pdadmin command that terminates all sessions for a specific user based on the user's login ID.

For example:

pdadmin> server task instance-Reverse Proxyd-host terminate all_sessions login_id
Note: The pdadmin server task terminate all_sessions command is not supported in a distributed session cache environment. Use the dscadmin session terminate command instead.

The user's login ID (login_id) can be passed to the junctioned back-end server in the Verify Identity Access iv-user header. To accomplish this task, you must initially create the junction using the -c iv_user option and argument. See Client identity in HTTP headers (–c).

The Reverse Proxy session cache is organized to cross-reference the user's login ID, the Reverse Proxy session ID, and other cache entry information. A user always has the same login ID across multiple sessions. Each Reverse Proxy session ID, however, is unique. The pdadmin server task terminate all_sessions command removes all cache entries belonging to a specific user's login ID.

Figure 1. Terminate all userA sessions

Terminate all userA sessions

Reverse Proxy checks for appropriate permissions on the initiator of the pdadmin command before terminating user sessions.

It is important to consider the conditions under which this command might be used. If the intent is to make sure a certain group of users are removed from the secure domain entirely, the pdadmin server task terminate all_sessions command is only effective when, in addition, the accounts for those users are made not valid (removed).

Certain authentication methods—such as basic authentication, client-side certificate, LTPA cookies and failover cookies—return cached authentication information automatically with no user intervention. The pdadmin server task terminate all_sessions command would not prevent return logins for users using any of those authentication methods. You must additionally invalidate the appropriate user accounts in the registry.

When a user is logged out unexpectedly because of session termination, the original session cookie remaining on the user's browser becomes an old, or "stale" cookie that no longer maps to an existing entry in the Reverse Proxy session cache. When the user makes a subsequent request for a protected object, Reverse Proxy requires authentication and returns a login form. You can customize the login response to contain additional information that explains the reason for the new login requirement. For further information on this feature, see Customized responses for old session cookies.